Critical Vulnerability CVE-2026-44547 Exposes ChurchCRM 7.2.0–7.2.2 to Attack After Incomplete Security Fix

A critical-rated vulnerability has been identified in ChurchCRM, an open-source church management platform, affecting versions 7.2.0 through 7.2.2. The flaw, catalogued as CVE-2026-44547, carries a CVSS score of 9.6, placing it in the critical severity range. The vulnerability stems from an incomplete remediation of CVE-2026-4058, according to security researchers tracking the issue.

The root cause of the weakness is particularly concerning from a software integrity standpoint. A hardening commit addressing the underlying issue was initially merged into the codebase, targeting the file src/api/routes/public/public-user.php. However, that same security fix was subsequently stripped from the codebase by an unrelated pull request before the patch could be shipped in a stable release. This regression left the mitigation gap open in the affected versions, creating a window of exposure for potential exploitation.

ChurchCRM is widely deployed across religious organizations globally, handling sensitive data including congregant records, donation information, and volunteer coordination. The vulnerability's location in public-facing API routes raises the risk of remote exploitation. Users running affected versions are advised to monitor official project channels for补丁 releases addressing CVE-2026-44547. The discovery highlights the importance of thorough regression testing and code review processes, particularly when security hardening commits interact with active development branches. Organizations running ChurchCRM instances should verify their current version and implement compensating controls until a patched release is available.