Cross-Site Request Forgery in ChurchCRM Open-Source Management System
CVE-2026-42289

8.8HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42289?

ChurchCRM is an open-source church management system that allows for the management of user accounts and permissions. Prior to version 7.3.2, the system's UserEditor.php file processed account creation and permission updates solely through $_POST parameters, lacking necessary CSRF token validation. This oversight allows an unauthenticated attacker to exploit the system via a malicious HTML page that, when accessed by an authenticated administrator, can elevate low-privilege users to full administrative rights or create an unauthorized administrator backdoor account without the admin's consent or awareness. The issue has been addressed in version 7.3.2, thus it is crucial for users to update to this version to safeguard against potential exploits.

Affected Version(s)

CRM < 7.3.2

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42289 Data

JSON

Churchcrm

What is CVE-2026-42289?

Affected Version(s)

References

CVSS V3.1

Timeline