CVE-2026-28408
Published: 27 February 2026
Summary
CVE-2026-28408 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly addressing the script's omission of authentication and permission checks allowing unauthorized feature access.
Requires unique identification and authentication for organizational users, preventing unauthenticated attackers from impersonating employees to access restricted endpoints.
Employs least privilege to restrict access to only necessary functions, mitigating massive unauthorized data injection into application storage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authentication bypass in a public-facing web application allowing unauthenticated network attackers to directly invoke restricted scripts and functionality. This directly enables T1190 (Exploit Public-Facing Application).
NVD Description
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a…
more
request through tools like Postman or the file's URL on the web to access features exclusive to employees. The vulnerability allows external parties to inject unauthorized data in massive quantities into the application server's storage. Version 3.6.5 fixes the issue.
Deeper analysisAI
CVE-2026-28408 is a critical authentication bypass vulnerability in WeGIA, an open-source web manager for charitable institutions. In versions prior to 3.6.5, the adicionar_tipo_docs_atendido.php script circumvents the project's central controller and omits its own authentication and permission checks, mapped to CWE-287 (Improper Authentication) and CWE-862 (Missing Authorization). This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe potential for confidentiality, integrity, and availability impacts.
Unauthenticated attackers with network access can exploit the vulnerability by crafting requests to the script's URL using tools like Postman or direct web access. This allows external parties to impersonate employees and access restricted features, enabling the injection of massive quantities of unauthorized data into the application server's storage.
The GitHub security advisory (GHSA-xq3w-xwxj-fg2q) confirms that upgrading to WeGIA version 3.6.5 addresses the issue by adding necessary authentication and permission controls. Security practitioners should prioritize patching affected instances and review access to similar direct-script endpoints in custom web applications.
Details
- CWE(s)