CVE-2026-35474 Overview
CVE-2026-35474 is an open redirect vulnerability in WeGIA, a web-based management application designed for charitable institutions. Prior to version 3.6.9, the application fails to validate or sanitize the redirect parameter obtained from $_GET before using it in a header("Location: ...") call, allowing attackers to redirect users to arbitrary external URLs.
Critical Impact
Attackers can exploit this open redirect to conduct phishing attacks by tricking users into visiting malicious websites that appear to originate from a trusted WeGIA instance, potentially leading to credential theft or malware distribution.
Affected Products
- WeGIA versions prior to 3.6.9
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35474 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35474
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The fundamental issue lies in the application's direct use of user-controlled input to determine where users should be redirected, without implementing any security controls to validate the destination URL.
In the vulnerable code path, the redirect parameter is extracted directly from the $_GET superglobal array and immediately passed to PHP's header() function with a "Location:" directive. This design pattern bypasses any opportunity to verify that the destination URL belongs to a trusted domain or follows a safe URL pattern.
Open redirect vulnerabilities are particularly valuable to attackers because they abuse the inherent trust users place in legitimate domains. When a user sees a link pointing to a known charitable institution's management portal, they are more likely to click it and trust the subsequent redirect, even if it leads to a malicious site designed to harvest credentials or deliver malware.
Root Cause
The root cause is the absence of URL validation and whitelist checking before redirecting users. The application directly consumes untrusted user input from the $_GET['redirect'] parameter and passes it verbatim to the header("Location: ...") function, creating a direct path from user input to an unsafe operation.
Attack Vector
The vulnerability is exploitable over the network and requires user interaction—specifically, a victim must click a crafted link. An attacker constructs a URL pointing to the vulnerable WeGIA endpoint with a malicious redirect parameter. When a user clicks this link, they are initially directed to the legitimate WeGIA instance, which then immediately redirects them to the attacker-controlled destination.
A typical attack URL might look like: https://legitimate-wegia-site.org/vulnerable-endpoint.php?redirect=https://malicious-site.com/phishing-page
The attacker can leverage this in phishing emails or embed the link in social media posts, exploiting the trust associated with the legitimate domain to increase click-through rates on their malicious payload.
Detection Methods for CVE-2026-35474
Indicators of Compromise
- HTTP logs showing requests to WeGIA endpoints with redirect parameters containing external domain URLs
- User reports of unexpected redirects after clicking links to your WeGIA installation
- Referrer headers in web logs showing traffic originating from your WeGIA server to suspicious external domains
Detection Strategies
- Implement web application firewall (WAF) rules to inspect and block requests with redirect parameters pointing to external domains
- Configure intrusion detection systems to alert on URL patterns containing external redirects in the redirect parameter
- Review access logs for unusual patterns of requests to endpoints known to handle redirects
Monitoring Recommendations
- Monitor authentication events following redirects for signs of credential theft attempts
- Set up alerts for spikes in traffic to redirect-handling endpoints
- Review web server logs periodically for redirect parameters containing non-whitelisted domains
How to Mitigate CVE-2026-35474
Immediate Actions Required
- Upgrade WeGIA to version 3.6.9 or later immediately
- Review web server access logs for evidence of exploitation attempts
- Notify users about potential phishing attacks leveraging your organization's WeGIA domain
Patch Information
The vulnerability is fixed in WeGIA version 3.6.9. Organizations should update their installations to this version or later. For detailed information about the fix and the security advisory, refer to the GitHub Security Advisory for GHSA-7935-g3wg-h55w.
Workarounds
- Implement server-side URL validation to ensure redirect targets match a whitelist of trusted domains
- Deploy a reverse proxy or WAF rule to strip or validate redirect parameters before they reach the application
- Temporarily disable redirect functionality if not critical to operations until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
