CVE-2026-40484
Remote Code Execution via Backup Restore in ChurchCRM
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ChurchCRM versions prior to 7.2.0 in the database backup restore functionality. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory. The restore process extracts and copies these files into a web-accessible directory without filtering file extensions, allowing the webshell to be placed in a publicly accessible path. Because the webshell is executable via HTTP requests, this leads to remote code execution as the web server user. Additionally, the restore endpoint lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker with administrator access to execute arbitrary code on the web server remotely. This can lead to full compromise of the server, unauthorized access to sensitive data, modification or deletion of data, and potential further attacks on the network. The lack of CSRF protection increases the risk by allowing attackers to trick administrators into triggering the exploit.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade ChurchCRM to version 7.2.0 or later, where the issue has been fixed.
Additionally, restrict access to the backup restore functionality to trusted administrators only and monitor for any suspicious file uploads or unexpected PHP files in the web-accessible directories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated administrator to upload a malicious PHP webshell that can be executed remotely, leading to remote code execution on the web server. Such unauthorized access and control over the system can lead to compromise of sensitive data.
Because the vulnerability results in potential unauthorized access and control over data, it could negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Additionally, the lack of CSRF token validation increases the risk of exploitation, further undermining security controls required by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated administrator uploading a crafted backup archive containing a PHP webshell into the Images/ directory, which is then copied to a web-accessible location and executable via HTTP requests.
To detect this vulnerability on your system, you can check for unexpected PHP files in the web-accessible directories, especially within or under the Images/ directory.
- Search for PHP files in the Images/ directory or its subdirectories: find /path/to/webroot/Images -type f -name '*.php'
- Check web server access logs for suspicious HTTP requests to PHP files in the Images/ directory.
- Verify the version of ChurchCRM installed; versions prior to 7.2.0 are vulnerable.
Note that exploitation requires authenticated administrator access, so monitoring for unusual administrator activity or CSRF attempts may also help.