CVE-2026-31894 is a vulnerability classified under CWE-59 (Improper Link Resolution Before File Access) affecting WeGIA, a web management platform for charitable institutions developed by LabRedesCefetRJ. In version 3.6.5, the loadBackupDB() function is responsible for restoring database backups by extracting tar.gz archives using PHP's PharData class. After extraction, the function uses glob() to enumerate SQL files and file_get_contents() to read their contents. However, neither the extraction process nor the subsequent file reading validates whether the archive members are symbolic links. This lack of validation allows an attacker who can supply or manipulate backup archives to craft malicious tar.gz files containing symbolic links that point to arbitrary files on the server filesystem. When these archives are extracted and processed, the application may inadvertently read or overwrite sensitive files outside the intended directory, leading to unauthorized file access or modification. The vulnerability requires the attacker to have high privileges (as indicated by the CVSS vector), but no user interaction or authentication is needed once those privileges are obtained. The scope is limited to the affected versions >= 3.6.5 and < 3.6.6, with the issue resolved in version 3.6.6. The CVSS 4.0 base score is 6.9, reflecting a medium severity level due to the potential impact on confidentiality and integrity without affecting availability. No known exploits have been reported in the wild, but the vulnerability represents a significant risk if exploited in environments where backup archives are not fully trusted or sanitized.

The primary impact of CVE-2026-31894 is unauthorized file access and potential file modification on servers running vulnerable versions of WeGIA. By exploiting the improper symbolic link handling during archive extraction, an attacker could cause the application to read or overwrite arbitrary files on the filesystem. This can lead to exposure of sensitive data such as configuration files, credentials, or database contents, compromising confidentiality. Additionally, overwriting critical files could affect data integrity and potentially disrupt application functionality. Since the vulnerability requires high privileges, the risk is elevated in environments where attackers have partial access or where backup archives come from untrusted sources. For organizations managing charitable institutions, this could result in data breaches, loss of donor information, or disruption of critical services. The absence of known exploits reduces immediate risk, but the vulnerability's presence in backup restoration processes makes it a valuable target for attackers aiming to escalate privileges or maintain persistence.

To mitigate CVE-2026-31894, organizations should upgrade WeGIA to version 3.6.6 or later, where the vulnerability is patched. Until the upgrade is applied, administrators should implement strict validation of backup archives before restoration, including verifying that no symbolic links exist within tar.gz files. Employing sandboxed extraction environments with limited filesystem permissions can reduce the risk of arbitrary file access. Additionally, restricting backup archive sources to trusted entities and using cryptographic signatures to verify archive integrity can prevent malicious archive injection. Monitoring file system changes during backup restoration and employing application-level access controls to limit the impact of potential exploitation are also recommended. Finally, reviewing and hardening server permissions to minimize the privileges of the WeGIA process can reduce the attack surface.