CVE-2026-28408 is a critical authorization bypass vulnerability affecting WeGIA, a web management platform used by charitable institutions developed by LabRedesCefetRJ. The vulnerability exists in versions prior to 3.6.5 within the script adicionar_tipo_docs_atendido.php, which does not route requests through the project's central controller and lacks its own authentication and permission verification. This architectural oversight allows unauthenticated external attackers to directly invoke this script via HTTP requests (e.g., using tools like Postman or direct URL access) and perform actions reserved for authenticated employees. Exploitation enables attackers to inject unauthorized data massively into the backend storage, potentially corrupting data integrity, exposing sensitive information, and impacting system availability due to resource exhaustion or data pollution. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-287 (Improper Authentication), emphasizing the absence of proper access control mechanisms. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's ease of exploitation (network vector, no privileges or user interaction required) and its severe impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the vulnerability's nature and severity make it a high-risk target for attackers. The vendor addressed the issue in WeGIA version 3.6.5 by enforcing proper authentication and permission checks in the affected script.

The impact of CVE-2026-28408 is significant for organizations using WeGIA versions prior to 3.6.5, especially charitable institutions relying on this platform for sensitive data management. Attackers can exploit this vulnerability to inject large volumes of unauthorized data, leading to data integrity corruption, potential leakage of confidential information, and disruption of normal operations. The ability to perform these actions without authentication or user interaction increases the risk of automated mass exploitation. This can result in operational downtime, loss of trust, regulatory compliance violations, and costly remediation efforts. Additionally, the injection of unauthorized data could be leveraged as a foothold for further attacks within the network. Given the critical CVSS score and the nature of the affected system, the threat poses a severe risk to the confidentiality, integrity, and availability of organizational data and services.

To mitigate CVE-2026-28408, organizations should immediately upgrade WeGIA to version 3.6.5 or later, where the vulnerability has been fixed by implementing proper authentication and authorization checks in the affected script. Until the upgrade can be performed, organizations should restrict external access to the adicionar_tipo_docs_atendido.php script via network-level controls such as firewalls or web application firewalls (WAFs) to block unauthorized HTTP requests targeting this endpoint. Implement strict monitoring and logging of access to this script to detect any anomalous or unauthorized usage patterns. Additionally, conduct a thorough audit of data integrity to identify and remediate any unauthorized data injections that may have occurred. Organizations should also review their overall access control policies and ensure that all web application components enforce centralized authentication and authorization consistently. Finally, maintain an incident response plan to quickly address any exploitation attempts.