## CRITICAL CVE-2026-44547: Authentication Bypass Vulnerability in ChurchCRM Allows Low-Privilege Attackers to Compromise Data (CVSS 9.6)
A critical improper authentication vulnerability has been identified in ChurchCRM, an open-source church management software platform. Tracked as CVE-2026-44547 and classified as CWE-287, the flaw carries a CVSS score of 9.6, placing it in the critical severity range. The vulnerability affects versions 7.2.0 through 7.3.0, exposing organizations to the risk that low-privilege attackers can bypass authentication mechanisms and gain unauthorized access to sensitive data.

The flaw allows authenticated users with limited privileges to circumvent normal access controls, potentially reaching administrative functions or accessing confidential information stored within the platform. ChurchCRM is widely deployed across religious organizations globally, handling data ranging from member records and donation histories to event scheduling and communication logs. The broad attack surface and the depth of sensitive information managed by the software amplify the potential impact of exploitation.

ChurchCRM maintainers have released version 7.3.1, which addresses this vulnerability. Organizations running affected versions are urged to upgrade immediately. Until patches are applied, administrators should monitor for suspicious authentication patterns, enforce strict access controls, and consider network-level restrictions on the application interface. The discovery and disclosure of this flaw underscore ongoing challenges in securing web-based management platforms against privilege escalation and authentication bypass attacks.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: CVE-2026-44547, ChurchCRM, improper authentication, CWE-287, CVSS 9.6
- **Credibility**: unverified
- **Published**: 2026-05-13 01:18:22
- **ID**: 82443
- **URL**: https://whisperx.ai/en/intel/82443