CVE-2026-35472 Overview
CVE-2026-35472 is an Open Redirect vulnerability identified in WeGIA, a Web manager application designed for charitable institutions. The vulnerability exists in the /WeGIA/controle/control.php endpoint, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle. Due to the application's failure to validate or restrict the nextPage parameter, attackers can redirect users to arbitrary external websites, enabling phishing attacks, credential theft, malware distribution, and social engineering campaigns that abuse the trusted WeGIA domain.
Critical Impact
Attackers can leverage the trusted WeGIA domain to redirect users to malicious external sites, enabling phishing attacks, credential harvesting, and malware distribution through social engineering techniques.
Affected Products
- WeGIA versions prior to 3.6.9
- WeGIA Web Manager for Charitable Institutions
- Deployments utilizing the /WeGIA/controle/control.php endpoint
Discovery Timeline
- 2026-04-06 - CVE-2026-35472 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35472
Vulnerability Analysis
This Open Redirect vulnerability (CWE-601) allows attackers to craft malicious URLs that appear to originate from the legitimate WeGIA application domain. The vulnerable endpoint accepts user-controlled input through the nextPage parameter without proper validation, allowing redirection to any external URL specified by an attacker. When users click on these crafted links, they are seamlessly redirected to attacker-controlled websites while believing they are interacting with the trusted WeGIA application.
The attack surface is network-accessible and requires user interaction (such as clicking a malicious link). The vulnerability can result in limited confidentiality and integrity impacts on both the vulnerable system and downstream systems, as users may unknowingly provide credentials or sensitive information to malicious sites.
Root Cause
The root cause of CVE-2026-35472 is improper input validation in the control.php endpoint. The application fails to implement URL validation or whitelist checking for the nextPage parameter. When the request includes specific parameters (metodo=listarTodos and nomeClasse=EstoqueControle), the application blindly redirects the user to whatever URL is specified in nextPage, including external domains controlled by attackers.
Attack Vector
The attack vector is network-based, requiring an attacker to craft a malicious URL containing the vulnerable endpoint with a specially crafted nextPage parameter pointing to an attacker-controlled domain. The attacker then distributes this URL through phishing emails, social media, or other channels. When a victim clicks the link, they are redirected from the legitimate WeGIA domain to the malicious site.
A typical attack URL would target the /WeGIA/controle/control.php endpoint with parameters including metodo=listarTodos, nomeClasse=EstoqueControle, and a malicious nextPage value pointing to an external phishing domain. The attacker's site could mimic the WeGIA login page to harvest credentials or distribute malware. For complete technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35472
Indicators of Compromise
- HTTP requests to /WeGIA/controle/control.php containing external URLs in the nextPage parameter
- Unusual redirect patterns from WeGIA endpoints to external domains
- User reports of unexpected redirections when using WeGIA application links
- Web server logs showing requests with metodo=listarTodos, nomeClasse=EstoqueControle, and external URL values
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests with external URLs in the nextPage parameter
- Monitor HTTP logs for requests to control.php containing URL patterns pointing to non-whitelisted domains
- Deploy URL inspection rules that flag redirects to domains outside the organization's approved list
- Configure security monitoring to alert on unusual outbound redirect patterns from WeGIA servers
Monitoring Recommendations
- Enable detailed logging for the /WeGIA/controle/control.php endpoint to capture all parameter values
- Implement real-time alerting for requests containing external domain references in redirect parameters
- Regularly review web server access logs for patterns consistent with open redirect exploitation attempts
- Correlate WeGIA access logs with user reports of phishing or suspicious redirects
How to Mitigate CVE-2026-35472
Immediate Actions Required
- Upgrade WeGIA to version 3.6.9 or later immediately
- Implement WAF rules to block requests with external URLs in the nextPage parameter as an interim measure
- Review web server logs for evidence of exploitation attempts
- Alert users about potential phishing campaigns leveraging the WeGIA domain
Patch Information
The vulnerability has been addressed in WeGIA version 3.6.9. Organizations should upgrade to this version or later to remediate the vulnerability. The security fix implements proper validation for the nextPage parameter, restricting redirects to approved internal paths only. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Deploy a web application firewall (WAF) with rules to block or sanitize the nextPage parameter for external URLs
- Implement URL validation at the reverse proxy or load balancer level to restrict redirect destinations
- Restrict access to the /WeGIA/controle/control.php endpoint to authenticated users only
- Consider temporarily disabling the affected functionality until the patch can be applied
# Example Apache mod_rewrite rule to block external redirects
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} nextPage=https?:// [NC]
RewriteRule ^WeGIA/controle/control\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
