ChurchCRM Path Traversal RCE (CVE-2026-35573)

Patch now - CVE-2026-35573 is a critical remote code execution in ChurchCRM versions prior to 6.5.3 that grants an authenticated admin the ability to overwrite server files and execute arbitrary PHP code.

Overview

A critical path traversal vulnerability (CVE-2026-35573) exists in ChurchCRM, an open-source church management system. The flaw is located in the backup restore functionality (src/ChurchCRM/Backup/RestoreJob.php) in versions prior to 6.5.3. It allows authenticated users with administrator privileges to upload files with arbitrary names, leading to remote code execution.

Vulnerability Details

The vulnerability stems from insufficient validation of the $rawUploadedFile['name'] parameter during the backup restore process. An attacker with admin access can control the filename, enabling them to perform a path traversal attack. By crafting a malicious filename, they can write an arbitrary file outside the intended /var/www/html/tmp_attach/ChurchCRMBackups/ directory. A primary attack vector involves overwriting the Apache .htaccess configuration file, which can be leveraged to execute arbitrary PHP code on the underlying server.

Impact

With a CVSS score of 9.1, this vulnerability is highly severe. Successful exploitation grants an attacker the ability to run any code on the web server with the same permissions as the ChurchCRM application. This can lead to a complete compromise of the server, data theft, defacement of the website, or the deployment of persistent backdoors. The requirement for admin credentials significantly limits the attack surface but underscores the risk of credential compromise or insider threats. For context on the consequences of such breaches, recent incidents are detailed in our breach reports.

Remediation and Mitigation

The vendor has released a fix in ChurchCRM version 6.5.3. All users must upgrade to this version immediately.

Immediate Actions:

1. Patch: Upgrade ChurchCRM to version 6.5.3 or later without delay.
2. Audit: If immediate patching is not possible, review server logs for any unusual file upload activity to the /var/www/html/tmp_attach/ directory or unexpected modifications to .htaccess files.
3. Principle of Least Privilege: Ensure administrator accounts are limited to trusted personnel only and employ strong, unique passwords.

There is no known effective workaround; patching is the only complete solution. Stay informed on other critical updates by following our security news.

Security Insight

This vulnerability highlights the persistent risk of path traversal flaws in file upload handlers, a common weakness in web applications. It is reminiscent of past incidents in other CMS platforms where backup/restore features became an attack vector. The high CVSS score, despite requiring admin privileges, reflects the dangerous ease with which the flaw can be leveraged for full server takeover once initial access is achieved, emphasizing that authentication is not a sufficient security boundary on its own.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs