WeGIA Charity Management Platform Exposes Three Critical Flaws

Three critical vulnerabilities in WeGIA, a web-based management system used by charitable institutions, could allow unauthenticated attackers to completely compromise affected servers. The most severe, CVE-2026-28408, carries a CVSS score of 9.8 and requires no authentication to exploit.

WeGIA is an open-source platform developed by LabRedesCefetRJ that helps charitable organizations manage donors, volunteers, and beneficiaries. Its user base consists primarily of nonprofits and NGOs—organizations that often lack dedicated security staff and face resource constraints that delay patching.

The Vulnerability Trio

The disclosed flaws work together to offer attackers multiple paths to compromise:

CVE-2026-28408 (CVSS 9.8) — The primary vulnerability stems from a missing authorization check in the adicionar_tipo_docs_atendido.php script. This endpoint doesn't route through WeGIA's central controller, which is responsible for enforcing authentication and permission policies. The result: unauthenticated attackers can access employee-only features and inject massive quantities of unauthorized data into the application's storage.

CVE-2026-28409 — A remote code execution vulnerability triggered through the database restoration functionality. Attackers who can upload a malicious database backup can achieve arbitrary code execution on the underlying server.

CVE-2026-28411 — An authentication bypass via variable overwrite that allows attackers to manipulate session state and impersonate legitimate users.

Together, these vulnerabilities provide everything an attacker needs: initial unauthenticated access (CVE-2026-28408), privilege escalation through session manipulation (CVE-2026-28411), and code execution for persistence (CVE-2026-28409).

Why the Architecture Failed

The root cause of CVE-2026-28408 illustrates a common web application security anti-pattern. WeGIA's central controller handles authentication and authorization for most endpoints, but the adicionar_tipo_docs_atendido.php script was implemented as a direct PHP file that bypasses this middleware entirely. There's no authentication check, no permission validation—just raw backend access.

This happens more often than it should. Developers add "quick" functionality outside the standard request flow, or legacy code predates security middleware—a pattern we've documented in vulnerabilities like the Angular SVG script injection flaw. The fix is straightforward in principle: all endpoints must enforce authentication, and architectural reviews should catch exceptions before deployment.

Exploitation Is Trivial

No sophisticated tooling required. The vulnerable endpoint is web-accessible, meaning attackers only need network connectivity to a WeGIA instance. Exploitation tools include:

• Standard web browsers
• HTTP clients like curl or Postman
• Web proxies for traffic manipulation

The attack surface is maximally exposed. Any internet-facing WeGIA installation running versions prior to 3.6.5 should be considered at risk. And given the target demographic—charitable organizations with limited IT resources—many deployments likely sit unpatched.

Impact on Charitable Organizations

Charitable organizations face disproportionate targeting. We've seen similar patterns with healthcare and education sector attacks, where resource-constrained organizations become attractive targets precisely because they lack security staff.

Compromising a charity management platform yields sensitive data about vulnerable populations:

• Donor financial information and giving histories
• Beneficiary personal details (potentially including immigration status, health conditions, or abuse histories)
• Volunteer records with contact information
• Internal communications and case files

This data has value to threat actors ranging from identity thieves to state-sponsored actors tracking dissidents. Nonprofits serving refugees, domestic violence survivors, or political activists face elevated risk—a breach could have physical-world consequences for the people they serve.

Remediation Steps

1. Upgrade immediately — Version 3.6.5 patches all three vulnerabilities
2. Audit access logs — Look for requests to adicionar_tipo_docs_atendido.php from unauthenticated sessions
3. Check for webshells — Search web-accessible directories for unexpected PHP files
4. Review database integrity — Look for unauthorized records that may indicate exploitation of the data injection flaw
5. Network isolation — If patching isn't immediately possible, restrict access to WeGIA to trusted networks only

The vulnerability disclosure timeline shows these issues were publicly documented on February 27, 2026. No proof-of-concept code has been released, but the technical details in the advisories are sufficient for skilled attackers to develop working exploits.

Protecting Nonprofit Infrastructure

Charitable organizations operate with tight budgets, and security often competes with mission-critical spending. But incidents like this demonstrate why basic security hygiene matters: keeping software updated, maintaining network segmentation, and having incident response plans costs far less than breach remediation.

For nonprofits unsure where to start, our online safety tips guide covers foundational security practices. The sector also has access to resources like the Nonprofit Technology Network (NTEN) and sector-specific ISACs that provide guidance tailored to resource-constrained organizations.

WeGIA's maintainers responded quickly with patches. Now it's on the organizations using the software to apply them—before attackers find exposed installations.