Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35474

CVE-2026-35474: WeGIA Open Redirect Vulnerability

CVE-2026-35474 is an open redirect vulnerability in WeGIA, a web manager for charitable institutions. Attackers can exploit unvalidated redirect parameters to redirect users to malicious sites. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-35474 Overview

CVE-2026-35474 is an open redirect vulnerability in WeGIA, a web-based management application designed for charitable institutions. Prior to version 3.6.9, the application fails to validate or sanitize the redirect parameter obtained from $_GET before using it in a header("Location: ...") call, allowing attackers to redirect users to arbitrary external URLs.

Critical Impact

Attackers can exploit this open redirect to conduct phishing attacks by tricking users into visiting malicious websites that appear to originate from a trusted WeGIA instance, potentially leading to credential theft or malware distribution.

Affected Products

  • WeGIA versions prior to 3.6.9

Discovery Timeline

  • 2026-04-06 - CVE CVE-2026-35474 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-35474

Vulnerability Analysis

This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The fundamental issue lies in the application's direct use of user-controlled input to determine where users should be redirected, without implementing any security controls to validate the destination URL.

In the vulnerable code path, the redirect parameter is extracted directly from the $_GET superglobal array and immediately passed to PHP's header() function with a "Location:" directive. This design pattern bypasses any opportunity to verify that the destination URL belongs to a trusted domain or follows a safe URL pattern.

Open redirect vulnerabilities are particularly valuable to attackers because they abuse the inherent trust users place in legitimate domains. When a user sees a link pointing to a known charitable institution's management portal, they are more likely to click it and trust the subsequent redirect, even if it leads to a malicious site designed to harvest credentials or deliver malware.

Root Cause

The root cause is the absence of URL validation and whitelist checking before redirecting users. The application directly consumes untrusted user input from the $_GET['redirect'] parameter and passes it verbatim to the header("Location: ...") function, creating a direct path from user input to an unsafe operation.

Attack Vector

The vulnerability is exploitable over the network and requires user interaction—specifically, a victim must click a crafted link. An attacker constructs a URL pointing to the vulnerable WeGIA endpoint with a malicious redirect parameter. When a user clicks this link, they are initially directed to the legitimate WeGIA instance, which then immediately redirects them to the attacker-controlled destination.

A typical attack URL might look like: https://legitimate-wegia-site.org/vulnerable-endpoint.php?redirect=https://malicious-site.com/phishing-page

The attacker can leverage this in phishing emails or embed the link in social media posts, exploiting the trust associated with the legitimate domain to increase click-through rates on their malicious payload.

Detection Methods for CVE-2026-35474

Indicators of Compromise

  • HTTP logs showing requests to WeGIA endpoints with redirect parameters containing external domain URLs
  • User reports of unexpected redirects after clicking links to your WeGIA installation
  • Referrer headers in web logs showing traffic originating from your WeGIA server to suspicious external domains

Detection Strategies

  • Implement web application firewall (WAF) rules to inspect and block requests with redirect parameters pointing to external domains
  • Configure intrusion detection systems to alert on URL patterns containing external redirects in the redirect parameter
  • Review access logs for unusual patterns of requests to endpoints known to handle redirects

Monitoring Recommendations

  • Monitor authentication events following redirects for signs of credential theft attempts
  • Set up alerts for spikes in traffic to redirect-handling endpoints
  • Review web server logs periodically for redirect parameters containing non-whitelisted domains

How to Mitigate CVE-2026-35474

Immediate Actions Required

  • Upgrade WeGIA to version 3.6.9 or later immediately
  • Review web server access logs for evidence of exploitation attempts
  • Notify users about potential phishing attacks leveraging your organization's WeGIA domain

Patch Information

The vulnerability is fixed in WeGIA version 3.6.9. Organizations should update their installations to this version or later. For detailed information about the fix and the security advisory, refer to the GitHub Security Advisory for GHSA-7935-g3wg-h55w.

Workarounds

  • Implement server-side URL validation to ensure redirect targets match a whitelist of trusted domains
  • Deploy a reverse proxy or WAF rule to strip or validate redirect parameters before they reach the application
  • Temporarily disable redirect functionality if not critical to operations until the patch can be applied

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.