CVE-2026-23728 Overview
CVE-2026-23728 is an Open Redirect vulnerability identified in the WeGIA web management application for charitable institutions. The vulnerability exists in the /WeGIA/controle/control.php endpoint, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites.
Critical Impact
Attackers can leverage this open redirect vulnerability to conduct phishing attacks, credential theft, malware distribution, and social engineering campaigns by exploiting the trust associated with the WeGIA domain.
Affected Products
- WeGIA versions prior to 3.6.2
Discovery Timeline
- January 16, 2026 - CVE-2026-23728 published to NVD
- January 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23728
Vulnerability Analysis
This Open Redirect vulnerability (CWE-601) occurs due to insufficient input validation on URL redirection parameters within the WeGIA application. The vulnerability is exploitable over the network and requires low privileges with active user interaction. When a user clicks on a malicious link crafted by an attacker, they are redirected from the legitimate WeGIA application to an attacker-controlled external website.
The attack chain typically involves an attacker crafting a URL that appears to originate from a trusted WeGIA instance but contains a malicious nextPage parameter pointing to a phishing site or malware distribution server. Because the initial domain is trusted, users are more likely to follow the link and subsequently trust the destination page.
Root Cause
The root cause of this vulnerability is the absence of proper URL validation and allowlisting mechanisms for the nextPage parameter in the /WeGIA/controle/control.php endpoint. The application blindly accepts and processes any URL provided in this parameter without verifying whether the destination is within the same domain or an approved list of trusted external resources.
Attack Vector
The attack leverages a network-based vector where an attacker constructs a malicious URL targeting the vulnerable endpoint. The crafted URL includes the legitimate WeGIA application path combined with the metodo=listarTodos and nomeClasse=DestinoControle parameters, followed by a nextPage parameter containing the attacker's malicious destination URL.
When a victim user clicks this link—often received via email, social media, or other communication channels—they initially navigate to the trusted WeGIA domain. The vulnerable endpoint then immediately redirects them to the attacker-controlled external site, where phishing pages, credential harvesting forms, or malware payloads may await.
The vulnerability mechanism involves the control.php script processing the nextPage parameter value and issuing an HTTP redirect response to whatever URL is provided, regardless of its destination. For detailed technical implementation, see the GitHub Security Advisory GHSA-jf25-p56f-wpgh.
Detection Methods for CVE-2026-23728
Indicators of Compromise
- HTTP requests to /WeGIA/controle/control.php containing external URLs in the nextPage parameter
- Redirect responses (HTTP 301/302) from WeGIA endpoints to external domains
- User access logs showing navigation patterns from WeGIA to suspicious external sites
- Phishing reports from users citing links that appeared to originate from WeGIA domains
Detection Strategies
- Monitor web server logs for requests containing nextPage parameters with external domain values
- Implement web application firewall (WAF) rules to detect and block redirect attempts to non-whitelisted domains
- Configure URL filtering to alert on patterns matching /control.php?*nextPage=http* with external destinations
- Review authentication logs for credential reuse attempts following suspicious redirect activity
Monitoring Recommendations
- Enable detailed access logging on WeGIA application servers
- Implement real-time alerting for redirect responses to external domains from the control.php endpoint
- Monitor for increased phishing reports referencing WeGIA-related links
How to Mitigate CVE-2026-23728
Immediate Actions Required
- Upgrade WeGIA to version 3.6.2 or later immediately
- Review web server logs for evidence of exploitation attempts
- Alert users about potential phishing campaigns leveraging this vulnerability
- Implement WAF rules to block requests with external URLs in the nextPage parameter as a temporary measure
Patch Information
The vulnerability has been fixed in WeGIA version 3.6.2. Organizations should upgrade to this version or later to remediate the vulnerability. The fix is documented in GitHub Pull Request #1333 and the patched release is available at GitHub Release Version 3.6.2.
Workarounds
- Implement a reverse proxy or WAF rule to validate and restrict nextPage parameter values to internal paths only
- Configure network-level URL filtering to block redirect attempts to unknown external domains
- Educate users to verify destination URLs before entering credentials after following any redirect
# Example WAF rule to block external redirects (Apache ModSecurity)
SecRule ARGS:nextPage "@rx ^https?://" \
"id:2026023728,\
phase:2,\
deny,\
status:403,\
msg:'CVE-2026-23728 Open Redirect Attempt Blocked',\
log"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
