CVE-2026-44548 Overview
CVE-2026-44548 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM, an open-source church management system. Versions prior to 7.3.2 fail to validate the origin of top-level cross-site GET requests to record deletion endpoints. An attacker hosting a malicious page can cause an authenticated ChurchCRM user to silently delete records when the user visits the page. Affected endpoints include FundRaiserDelete.php, PropertyTypeDelete.php, and NoteDelete.php. Deletions cascade to property and record-to-property assignments, amplifying data loss. The flaw is tracked under CWE-352: Cross-Site Request Forgery and is fixed in ChurchCRM 7.3.2.
Critical Impact
A single click on an attacker-controlled link can trigger cascaded deletion of fundraisers, property types, and notes from a victim's ChurchCRM instance.
Affected Products
- ChurchCRM versions prior to 7.3.2
- FundRaiserDelete.php endpoint
- PropertyTypeDelete.php and NoteDelete.php endpoints
Discovery Timeline
- 2026-05-12 - CVE-2026-44548 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44548
Vulnerability Analysis
The vulnerability exists because ChurchCRM's deletion endpoints perform state-changing operations in response to HTTP GET requests without verifying request origin. The application relies solely on the user's authenticated session cookie. Browsers automatically attach session cookies to any request to the application's origin, including top-level navigations initiated from third-party sites. When an attacker-controlled page redirects or links to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php, the victim's browser submits the request with valid session credentials. The server processes the deletion as if the user initiated it.
The impact extends beyond a single record. Deletions cascade through related property assignments and record-to-property mappings. A single forged request can remove multiple linked database entries. Exploitation requires the victim to hold the role authorized to delete the targeted record type.
Root Cause
The root cause is missing anti-CSRF protection on destructive endpoints. ChurchCRM neither enforced a synchronizer token, nor validated the Origin or Referer headers, nor restricted destructive operations to HTTP POST with body-based tokens. The endpoints accepted GET parameters and acted on them immediately.
Attack Vector
An attacker crafts a web page containing a top-level navigation, an image tag, or a meta refresh that points to a ChurchCRM deletion URL with a target record identifier. The attacker lures an authenticated ChurchCRM user with the appropriate role to visit the page. The browser issues the GET request with session cookies attached. ChurchCRM executes the deletion server-side. No additional user interaction beyond visiting the page is required. Refer to the GitHub Security Advisory GHSA-jx5r-p82p-2p8m for vendor-confirmed technical details.
Detection Methods for CVE-2026-44548
Indicators of Compromise
- Unexpected entries in ChurchCRM application logs showing GET requests to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php with external Referer headers.
- Audit log entries recording fundraiser, property type, or note deletions that authenticated users did not consciously perform.
- Cascaded removal of property assignments or record-to-property mappings tied to a single deletion event.
Detection Strategies
- Inspect web server access logs for requests to the three deletion endpoints originating from off-domain Referer values or with no Referer at all.
- Correlate user session activity with deletion timestamps to identify deletions that occurred immediately after the user visited an external link.
- Monitor database-level audit trails for bursts of cascaded deletions in the fundraiser, property, and note tables.
Monitoring Recommendations
- Forward ChurchCRM web server logs and application audit logs to a centralized log platform for retention and query.
- Alert on any HTTP GET to *Delete.php endpoints, since the patched application moves destructive operations off GET semantics.
- Track per-user deletion volumes and flag deviations from baseline behavior.
How to Mitigate CVE-2026-44548
Immediate Actions Required
- Upgrade ChurchCRM to version 7.3.2 or later, which contains the official fix.
- Audit recent deletions of fundraisers, property types, and notes and restore from backup where unauthorized removals are confirmed.
- Require ChurchCRM users to log out of the application when not actively using it to shrink the exploitation window.
Patch Information
ChurchCRM 7.3.2 fixes the vulnerability by adding CSRF protection to the affected deletion endpoints. The fix and full vendor guidance are documented in the ChurchCRM GitHub Security Advisory. Administrators should review release notes before upgrading and back up the database first.
Workarounds
- Restrict access to the ChurchCRM administrative interface to trusted networks via firewall or VPN until the patch is applied.
- Configure a web application firewall (WAF) rule to block external requests to FundRaiserDelete.php, PropertyTypeDelete.php, and NoteDelete.php based on Referer and Origin headers.
- Limit the roles permitted to delete fundraisers, property types, and notes to the smallest possible set of accounts.
# Example WAF rule (ModSecurity) blocking cross-origin GETs to deletion endpoints
SecRule REQUEST_METHOD "@streq GET" \
"chain,phase:1,deny,status:403,id:1004401,msg:'Block CSRF on ChurchCRM delete endpoints'"
SecRule REQUEST_URI "@rx (FundRaiserDelete|PropertyTypeDelete|NoteDelete)\.php" \
"chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://churchcrm.example.org/" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
