CVE-2026-44547

CRITICAL

ChurchCRM 7.2.0-7.2.2 Public API Login - Authentication Bypass

Title source: manual
STIX 2.1

Description

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

References (2)

Core 2
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/ChurchCRM/CRM/pull/8855

Scores

CVSS v3 9.6
EPSS 0.0021
EPSS Percentile 11.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-287 CWE-304
Status published
Products (1)
ChurchCRM/CRM >= 7.2.0, < 7.3.1
Published May 12, 2026
Tracked Since May 13, 2026