ChurchCRM RCE: Unauthenticated Admin Exploit via Backup Restore
The National Vulnerability Database (NVD) has detailed CVE-2026-40484, a critical remote code execution (RCE) vulnerability in ChurchCRM, an open-source church management system. Versions prior to 7.2.0 are affected. The flaw lies within the database backup restore functionality, which extracts archive contents and copies files from the Images/ directory to the web-accessible document root without proper file extension filtering.
An authenticated administrator can exploit this by uploading a crafted backup archive containing a PHP webshell within the Images/ directory. This webshell then gets written to a publicly accessible path, making it executable via HTTP requests and resulting in RCE as the web server user. The NVD also notes that the restore endpoint lacks CSRF token validation, enabling cross-site request forgery attacks targeting an authenticated administrator.
This is a severe issue. While it requires administrator authentication, the CSRF component significantly lowers the bar for exploitation. Attackers can leverage social engineering to trick an authenticated admin into triggering the vulnerable restore operation. The impact is complete system compromise, given the RCE capability.
What This Means For You
- If your organization uses ChurchCRM, immediately verify your version. If it's prior to 7.2.0, you are exposed to critical RCE. Patch to version 7.2.0 without delay. Furthermore, scrutinize web server logs for any unusual file writes to publicly accessible directories, especially within `Images/` or similar paths, following backup restore operations. This vulnerability gives an attacker full control over the web server.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40484: ChurchCRM Backup Restore Webshell Upload
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40484 | RCE | ChurchCRM versions prior to 7.2.0 |
| CVE-2026-40484 | RCE | Vulnerable functionality: database backup restore, recursiveCopyDirectory() |
| CVE-2026-40484 | RCE | Attack vector: Uploading crafted backup archive with PHP webshell in Images/ directory |
| CVE-2026-40484 | CSRF | Vulnerable endpoint: database restore functionality lacking CSRF token validation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40490 — Open Redirect
CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...
Postiz AI Tool Vulnerability Allows Account Takeover via XSS
CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...
Emissary Workflow Engine Vulnerable to OS Command Injection
CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...