ChurchCRM unauthenticated RCE (CVE-2026-39337)

Patch now - CVE-2026-39337 is a critical pre-authentication remote code execution flaw in ChurchCRM versions prior to 7.1.0 that allows an unauthenticated attacker to inject arbitrary PHP code through the setup wizard. Upgrade to version 7.1.0 immediately.

Overview

A critical vulnerability, tracked as CVE-2026-39337, exists in the ChurchCRM open-source church management system. This is a pre-authentication remote code execution (RCE) flaw in the software’s setup wizard, affecting all versions prior to 7.1.0. The vulnerability stems from improper sanitization of the $dbPassword variable during initial installation.

Vulnerability Details

The flaw allows an unauthenticated attacker to inject arbitrary PHP code during the system’s installation process. This occurs because user-supplied input for the database password is not properly sanitized before being written to a configuration file. The attacker does not need any credentials or user interaction; they simply need to access the publicly available setup page before the installation is finalized. This vulnerability is a direct result of an incomplete fix for a prior issue, CVE-2025-62521.

Impact

With a maximum CVSS score of 10.0, the impact is severe. Successful exploitation grants an attacker the ability to execute any code on the underlying server with the privileges of the web server process. This can lead to a complete compromise of the server, data theft, deployment of ransomware, or use of the server as a foothold for further attacks within a network. For organizations using ChurchCRM, this could result in the exposure of sensitive member and financial data. For the latest on data breaches, you can review breach reports.

Remediation and Mitigation

The only complete remediation is to immediately upgrade ChurchCRM to version 7.1.0 or later. This version contains the necessary fix.

If you are currently running a version below 7.1.0:

1. Upgrade Immediately: Apply the update to version 7.1.0 as your highest priority.
2. Investigate for Compromise: Assume your system may have been targeted. Review server logs for unauthorized access to the /setup/ directory and check for unexpected files or processes.
3. Temporary Mitigation (if upgrade is delayed): If the setup wizard is no longer needed, ensure the /setup/ directory is completely removed from the web server. This is not a substitute for patching.

For new installations: Always download the software directly from the official ChurchCRM repository to ensure you are not installing a pre-compromised version.

Security Insight

This vulnerability highlights the critical risk of “trusting the setup phase,” where security controls are often relaxed for convenience. The recurrence of a flaw (CVE-2025-62521) due to an incomplete patch underscores the importance of comprehensive regression testing, especially for security fixes. It serves as a reminder that installation wizards, though temporary, present a full attack surface. For more on evolving threats, follow our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs