CVE-2026-35395 Overview
CVE-2026-35395 is a SQL injection vulnerability in WeGIA, a web-based management application for charitable institutions. The flaw resides in dao/memorando/DespachoDAO.php, where the id_memorando parameter is read from $_REQUEST and concatenated directly into SQL queries without validation or parameterization. Any authenticated user can exploit this issue to execute arbitrary SQL commands against the backend database. The vulnerability is tracked under [CWE-89] and is fixed in WeGIA version 3.6.9.
Critical Impact
Authenticated attackers can read, modify, or destroy database contents, leading to full compromise of confidentiality, integrity, and availability of institutional data.
Affected Products
- WeGIA (Web gerenciador para instituições assistenciais)
- All versions prior to 3.6.9
- Component: dao/memorando/DespachoDAO.php
Discovery Timeline
- 2026-04-06 - CVE-2026-35395 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35395
Vulnerability Analysis
The vulnerability exists in the data access layer file dao/memorando/DespachoDAO.php. The application retrieves the id_memorando parameter using PHP's $_REQUEST superglobal, which accepts values from GET, POST, and COOKIE inputs. The value is then interpolated directly into a SQL query string without prepared statements, parameter binding, or input sanitization.
Because authentication is the only barrier, any user with valid credentials, including low-privilege accounts, can manipulate the parameter to break out of the intended query context. The injected SQL executes with the privileges of the database account configured for the WeGIA application. This typically allows reading arbitrary tables, modifying records, and in some configurations writing files or executing stored procedures.
Root Cause
The root cause is unsafe string concatenation of untrusted input into SQL statements, classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The code path does not enforce type casting on id_memorando, which should be a numeric identifier, and does not use PDO prepared statements available in the PHP runtime.
Attack Vector
An authenticated attacker submits a crafted HTTP request to the endpoint that consumes DespachoDAO.php, supplying a malicious id_memorando value such as a UNION-based or boolean-based payload. The vulnerable query executes the attacker-controlled SQL fragment, returning data from arbitrary tables or modifying records. Refer to the GitHub Security Advisory GHSA-43jm-pcrq-w7gv for full technical context.
Detection Methods for CVE-2026-35395
Indicators of Compromise
- HTTP requests to WeGIA endpoints containing SQL metacharacters such as ', --, UNION SELECT, or SLEEP( in the id_memorando parameter.
- Database error messages or unusually large response payloads from memorando related endpoints.
- Unexpected SELECT, UPDATE, or INFORMATION_SCHEMA queries in MySQL or PostgreSQL logs originating from the WeGIA service account.
Detection Strategies
- Enable database query logging and alert on queries referencing information_schema or executing outside the application's normal query patterns.
- Deploy a Web Application Firewall (WAF) with rules targeting SQL injection signatures on requests to /dao/memorando/ paths.
- Review web server access logs for requests where id_memorando contains non-numeric characters.
Monitoring Recommendations
- Monitor authenticated user sessions for anomalous request volumes against memorando endpoints.
- Alert on database account activity that deviates from baseline read patterns, such as bulk row extraction.
- Correlate authentication events with subsequent injection attempts to identify compromised low-privilege accounts.
How to Mitigate CVE-2026-35395
Immediate Actions Required
- Upgrade WeGIA to version 3.6.9 or later, which contains the official fix from the maintainers.
- Audit application and database logs for prior exploitation attempts against id_memorando.
- Rotate database credentials and review user account activity if compromise is suspected.
Patch Information
The maintainers released a fix in WeGIA 3.6.9. Details are published in the WeGIA GitHub Security Advisory GHSA-43jm-pcrq-w7gv. Administrators should pull the latest release from the LabRedesCefetRJ/WeGIA repository and verify the patched version is deployed across all instances.
Workarounds
- Restrict access to the WeGIA application to trusted networks using firewall or VPN controls until the patch is applied.
- Apply WAF rules that block non-numeric values in the id_memorando parameter.
- Reduce the privileges of the database account used by WeGIA to the minimum required, removing FILE, CREATE, and administrative grants.
# Upgrade WeGIA to the patched release
cd /var/www/WeGIA
git fetch --tags
git checkout 3.6.9
# Example MySQL least-privilege grant for the application account
REVOKE ALL PRIVILEGES ON *.* FROM 'wegia_app'@'localhost';
GRANT SELECT, INSERT, UPDATE, DELETE ON wegia_db.* TO 'wegia_app'@'localhost';
FLUSH PRIVILEGES;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
