CVE-2026-35473 Overview
CVE-2026-35473 is an Open Redirect vulnerability identified in the WeGIA web manager application for charitable institutions. The vulnerability exists in the /WeGIA/controle/control.php endpoint, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites.
This vulnerability can be abused for phishing attacks, credential theft, malware distribution, and social engineering campaigns that leverage the trusted WeGIA domain to deceive users.
Critical Impact
Attackers can exploit the trusted WeGIA domain to redirect users to malicious sites, enabling phishing attacks and credential theft without raising user suspicion.
Affected Products
- WeGIA versions prior to 3.6.9
Discovery Timeline
- April 6, 2026 - CVE-2026-35473 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35473
Vulnerability Analysis
This Open Redirect vulnerability (CWE-601) stems from insufficient validation of user-supplied input in the nextPage parameter. When processing requests to the control.php endpoint with specific parameter combinations (metodo=listarId and nomeClasse=IentradaControle), the application accepts and processes arbitrary URLs without verification.
The vulnerability requires user interaction, as a victim must click on a maliciously crafted link. However, because the initial URL appears to belong to a legitimate WeGIA installation, users are more likely to trust and follow such links, especially in phishing scenarios targeting employees of charitable organizations using this platform.
Root Cause
The root cause is improper input validation in the control.php endpoint. The application directly uses the nextPage parameter value for HTTP redirection without implementing URL whitelisting or domain validation checks. This allows external URLs to be specified and processed by the redirect mechanism.
Attack Vector
The attack is network-based and requires an attacker to craft a malicious URL pointing to the vulnerable WeGIA endpoint with a nextPage parameter containing an external malicious domain. The attacker then distributes this link via email, messaging platforms, or other social engineering channels.
When a user clicks the link, they initially connect to the legitimate WeGIA server, which then redirects them to the attacker-controlled site. This technique is particularly effective because security-conscious users may verify that a link points to a trusted domain before clicking, unaware of the redirect that follows.
A typical malicious URL would include the vulnerable endpoint with parameters directing to an external phishing site through the nextPage parameter.
Detection Methods for CVE-2026-35473
Indicators of Compromise
- HTTP requests to /WeGIA/controle/control.php containing external URLs in the nextPage parameter
- Web server access logs showing requests with metodo=listarId, nomeClasse=IentradaControle, and suspicious nextPage values
- User reports of unexpected redirects after clicking WeGIA-related links
Detection Strategies
- Implement web application firewall (WAF) rules to flag requests to control.php containing external domains in the nextPage parameter
- Monitor HTTP response codes 301/302 from the control.php endpoint that redirect to non-whitelisted domains
- Deploy URL filtering solutions to detect and block access to known malicious redirect destinations
Monitoring Recommendations
- Review web server access logs for anomalous patterns involving the vulnerable endpoint and parameter combinations
- Set up alerts for high volumes of requests to control.php with varying nextPage values, which may indicate reconnaissance or active exploitation
- Monitor for phishing reports from users that reference legitimate WeGIA URLs
How to Mitigate CVE-2026-35473
Immediate Actions Required
- Upgrade WeGIA to version 3.6.9 or later, which contains the fix for this vulnerability
- Implement URL whitelisting at the application or WAF level to restrict redirect destinations to trusted internal domains
- Educate users about the risks of clicking links, even those appearing to point to trusted internal systems
Patch Information
The vulnerability is fixed in WeGIA version 3.6.9. Organizations should update their installations immediately. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Configure web application firewall rules to block or sanitize the nextPage parameter when it contains external URLs
- Implement server-side validation to restrict redirect URLs to a predefined whitelist of trusted domains
- Consider temporarily disabling the affected functionality if the upgrade cannot be immediately applied
# Example Apache mod_rewrite rule to block external redirects
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} nextPage=https?://(?!yourdomain\.com) [NC]
RewriteRule ^WeGIA/controle/control\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
