🚨 CVE-2026-35573: Critical Vulnerability in ChurchCRM Allowing RCE

What Happened

In early 2026, a critical vulnerability identified as CVE-2026-35573 was reported in ChurchCRM, an open-source church management platform. This flaw specifically affects versions prior to 6.5.3 and was discovered in the backup restore functionality of the software. The vulnerability allows authenticated administrators to upload arbitrary files to the system, leading to potential remote code execution. The flaw is present in the src/ChurchCRM/Backup/RestoreJob.php file.

The vulnerability was highlighted by security researchers who found that the file upload mechanism did not properly sanitize inputs, enabling path traversal attacks. By leveraging this weakness, attackers could overwrite Apache .htaccess files, a critical misconfiguration that could then be exploited to execute arbitrary code on the server. A patch addressing this issue was released with ChurchCRM version 6.5.3, effectively closing this security gap.

Technical Details

CVE-2026-35573 is classified as a path traversal vulnerability with a CVSS score of 9.1, indicating its critical nature. The flaw exists due to improper input validation in the $rawUploadedFile['name'] parameter. Since this parameter can be user-controlled, it allows for the uploading of files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/.

By exploiting this vulnerability, authenticated users with administrator privileges can manipulate file paths and introduce files such as those affecting .htaccess configurations. This manipulation can result in remote code execution by allowing the attacker to change server settings or execute scripts uploaded to the web server. The attack vector relies on the assumption that the attacker has access to an administrative user account within ChurchCRM, making it crucial that such accounts are properly managed and secured.

The primary indicator of compromise (IOC) is the existence of unexpected .htaccess files in the web server's directories, particularly within the ChurchCRM backup paths. Security logs indicating unusual file uploads by authenticated users can also serve as potential IOCs.

Impact

The impact of CVE-2026-35573 is significant, primarily affecting organizations that rely on ChurchCRM to manage and store sensitive church-related data. The ability for an attacker to achieve remote code execution means that the data integrity and confidentiality of the stored information could be compromised. Additionally, the exploit's nature could lead to the unauthorized access to server resources, potentially opening the door to broader network infiltration.

Given the critical score, organizations using affected versions are at high risk unless immediate action is taken to patch the vulnerability. The exploitation potential underscores the importance of maintaining current software versions and implementing rigorous access controls for administrative accounts.

What To Do

• Upgrade to ChurchCRM version 6.5.3 or later to eliminate the vulnerability.
• Review and restrict access to administrative accounts to ensure only authorized personnel have the necessary permissions.
• Conduct regular audits of web server directories for unexpected .htaccess files or modifications.
• Monitor server logs for unusual file upload activity that might indicate an exploitation attempt.
• Consider implementing additional web application firewalls (WAFs) to detect and block potential malicious file uploads.

By ensuring that ChurchCRM installations are updated and that administrative access is tightly controlled, organizations can effectively mitigate the risks associated with CVE-2026-35573. Maintaining awareness of system configurations and monitoring logs for suspicious activity further strengthens the security posture against such vulnerabilities.