CVE-2026-44547: ChurchCRM Critical Vulnerability Persists in 7.2.x Releases
The National Vulnerability Database highlights CVE-2026-44547, a critical vulnerability in ChurchCRM, an open-source church management system. Rated 9.6 CVSS, this flaw affects versions 7.2.0 through 7.2.2. The core issue stems from an incomplete fix for a prior vulnerability, CVE-2026-4058.
According to the National Vulnerability Database, a hardening commit intended to resolve the earlier issue was integrated but subsequently removed from src/api/routes/public/public-user.php by an unrelated pull request. This occurred before any 7.2.x release tags were cut, meaning every shipped version within the 7.2.x branch remains exploitable. Attackers can leverage the existing Proof-of-Concept for CVE-2026-4058 to compromise affected systems, leading to high impact on confidentiality and integrity. The vulnerability is finally addressed in ChurchCRM version 7.3.1.
This isn’t just a coding error; it’s a critical process failure. A fix was developed, merged, then silently stripped out before release. This kind of oversight leaves organizations wide open, demonstrating why robust release management and security testing are non-negotiable, especially for open-source projects where community contributions can inadvertently introduce regressions. Defenders need to understand the full lifecycle of a vulnerability, not just the initial patch.
What This Means For You
- If your organization uses ChurchCRM, immediately check your version. Any installation between 7.2.0 and 7.2.2 is critically vulnerable to CVE-2026-44547. Patch to 7.3.1 without delay. Do not assume previous updates secured your system; this vulnerability is a regression that effectively nullified an earlier fix.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44547: ChurchCRM Public User API Exploitation Attempt
title: CVE-2026-44547: ChurchCRM Public User API Exploitation Attempt
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-44547 by targeting the public user API endpoint in ChurchCRM versions 7.2.0 to 7.2.2. This rule specifically looks for POST requests to '/src/api/routes/public/public-user.php' with a 'login' action in the query string, which is indicative of the exploit attempting to bypass authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44547/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri:
- '/src/api/routes/public/public-user.php'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'action=login'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44547 | Auth Bypass | ChurchCRM versions 7.2.0 to 7.2.2 |
| CVE-2026-44547 | Auth Bypass | src/api/routes/public/public-user.php |
| CVE-2026-44547 | Auth Bypass | ChurchCRM fixed in version 7.3.1 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 02:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...