DEV Community

THREAT CHAIN
THREAT CHAIN

Posted on • Originally published at threatchain.io

CVE-2026-39337: Church Management Software Flaw Gives Attackers Complete Server Control

#security #malware #cybersecurity #cve202639337

This article was originally published on ThreatChain — decentralized threat intelligence.

Your security tools might have missed this one. CVE-2026-39337 is actively targeting networks right now — here's what you need to know before it hits yours.

If you're running ChurchCRM to manage your congregation's data, you need to act now. A critical vulnerability allows attackers to take complete control of your server during the software's initial setup process—no username or password required.

What Is This CVE

CVE-2026-39337 is a remote code execution vulnerability in ChurchCRM, a popular open-source system used by thousands of churches worldwide to manage members, donations, events, and other sensitive information. The flaw carries a perfect 10.0 CVSS score—the highest possible severity rating.

Here's what makes this especially dangerous: attackers can exploit this vulnerability during ChurchCRM's setup wizard, before you've even finished installing the software. The setup process fails to properly sanitize database password input, allowing attackers to inject malicious PHP code that runs with full server privileges.

This means an attacker could potentially access all church records, financial data, personal information of congregation members, and use your server as a launching pad for other attacks. What's particularly concerning is that this vulnerability exists as an incomplete fix for a previous issue (CVE-2025-62521), suggesting the original patch didn't fully address the underlying problem.

Who Is At Risk

You're affected if you're running any version of ChurchCRM prior to version 7.1.0. This includes:

  • Churches that recently installed ChurchCRM but haven't completed the setup process
  • Organizations running older versions that haven't updated to 7.1.0
  • Anyone who has ChurchCRM installations accessible from the internet

The vulnerability is particularly dangerous for new installations because it's exploitable during the setup wizard—a process that typically happens when the software is first deployed and potentially most exposed.

How to Check

First, determine which version of ChurchCRM you're running:

  1. Log into your ChurchCRM admin panel and look for version information in the footer or about section
  2. Check your installation directory for a VERSION file or similar
  3. Look at your server files in the ChurchCRM root directory for version indicators

If you can't access the system normally, check your web server logs for the ChurchCRM directory path, then examine the files directly.

To verify if you're vulnerable:

  • If your version is older than 7.1.0, you are definitely affected
  • If you have any incomplete ChurchCRM installations (setup wizard accessible), you are at immediate risk
  • If you're unsure of your version, assume you're vulnerable until proven otherwise

You can also test if your setup wizard is accessible by navigating to yoursite.com/churchcrm/setup/ in a web browser. If you see the setup interface, you're potentially exposed.

How to Fix

Immediate Actions (Do Today):

  1. Update to ChurchCRM 7.1.0 or later - This is the definitive fix. Download from the official GitHub repository and follow the upgrade instructions.

  2. Block access to the setup wizard if you can't update immediately. Add these rules to your web server:

    • Apache: Add to your .htaccess file: RewriteRule ^setup/ - [F,L]
    • Nginx: Add to server block: location /setup { deny all; }

  3. If you have incomplete installations, take the system offline immediately until you can update.

Longer-term Actions:

  • Review your server access logs for suspicious activity around the /setup/ directory
  • Consider changing database passwords if you suspect compromise
  • Implement network-level restrictions to limit who can access your ChurchCRM installation during setup
  • Set up monitoring for unauthorized access attempts

For New Installations:
Only install ChurchCRM version 7.1.0 or later. Do not use older versions even if they appear in package repositories or cached downloads.

ThreatChain Coverage

CVE-2026-39337 is already indexed in ThreatChain's CVE database at threatchain.io, where you can search for additional indicators of compromise and related threat intelligence as they become available.

Bottom Line

This is a drop-everything-and-fix-it situation. With a perfect 10.0 CVSS score and no authentication required, CVE-2026-39337 represents one of the most serious vulnerabilities we've seen in church management software. The fact that it affects the setup process means even brand-new installations are at risk from day one. Update to ChurchCRM 7.1.0 immediately, and if you can't update right now, block access to the setup wizard until you can.

Action Items:

  • Check your ChurchCRM version immediately
  • Update to version 7.1.0 or later today
  • Block setup wizard access if immediate updates aren't possible
  • Review server logs for signs of compromise
  • Verify all ChurchCRM installations in your organization are patched

Top comments (0)