Executive Summary
CVE-2026-40285 is a high-severity SQL injection vulnerability (CVSS 8.8) affecting WeGIA, an open-source web manager designed for charitable and non-profit institutions. The flaw exists in dao/memorando/UsuarioDAO.php and is enabled by PHP's dangerous extract($_REQUEST) function in DespachoControle::verificarDespacho(), which allows an attacker to overwrite the session-stored user identity by supplying a crafted cpf_usuario POST parameter.
All versions prior to 3.6.10 are affected. A patch is available.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-40285 |
| CVSS Score | 8.8 (High) |
| Type | SQL Injection / Session Override |
| Attack Vector | Network |
| Privileges Required | Low (authenticated) |
| User Interaction | None |
| Affected Component | dao/memorando/UsuarioDAO.php |
| Root Cause | extract($_REQUEST) overwrites session variables |
| Fixed Version | WeGIA 3.6.10 |
| NVD Published | 2026-04-17 |
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| WeGIA | < 3.6.10 | 3.6.10 |
Technical Analysis
What Is WeGIA?
WeGIA (Web Gestor para Instituições de Assistência) is an open-source PHP-based web management system built for charitable institutions, NGOs, and social welfare organizations. It handles volunteer management, beneficiary records, memos, and administrative functions for organizations serving vulnerable populations.
Root Cause: PHP extract() on Request Data
The vulnerability originates in the DespachoControle::verificarDespacho() method, which calls:
extract($_REQUEST);The PHP extract() function imports variables from an array into the current symbol table. When applied to user-controlled superglobals like $_REQUEST, $_POST, or $_GET, it creates a severe security vulnerability: any variable that exists in the session or local scope can be silently overwritten by an attacker-supplied parameter with the same name.
In this case:
- The application stores the currently authenticated user's identifier in a session variable
- The controller calls
extract($_REQUEST)before performing business logic - A POST parameter named
cpf_usuario(the Brazilian CPF — a national tax ID used as a user key) collides with the session-stored identity variable - The attacker-supplied
cpf_usuarioreplaces the legitimate session value before the database query executes
SQL Injection Stage
Once the session variable is overridden, the tainted cpf_usuario value flows directly into a PDO query in UsuarioDAO.php without sufficient sanitization. Although PDO is the query interface, the vulnerability is not in a parameterized binding — the cpf_usuario value is incorporated into the query in a way that allows injection.
Attack flow:
1. Attacker authenticates as a low-privilege user
2. Sends a POST request to the vulnerable endpoint with cpf_usuario=<payload>
3. extract($_REQUEST) overwrites the session-stored user identity
4. The tainted value is passed to UsuarioDAO without sanitization
5. SQL injection executes — attacker can read/modify/delete database records
6. Attacker achieves privilege escalation to higher-privilege user accountsWhy This Is Rated CVSS 8.8
| Metric | Value | Reason |
|---|---|---|
| Attack Vector | Network | Exploitable over any HTTP connection |
| Attack Complexity | Low | Straightforward POST parameter manipulation |
| Privileges Required | Low | Any authenticated user can exploit |
| User Interaction | None | No victim action required |
| Impact | High C/I/A | Full database read/write access attainable |
The CVSS score is bounded at 8.8 (rather than 9+) because low-privilege authentication is required — however, the practical barrier for exploitation is minimal in any multi-user WeGIA deployment.
Impact Assessment
| Impact Area | Description |
|---|---|
| Data Exfiltration | Full read access to the WeGIA database including beneficiary PII, volunteer records, and financial data |
| Privilege Escalation | Attacker can override their identity with a higher-privilege CPF and gain admin-level access |
| Data Manipulation | Database records can be modified or deleted |
| Sensitive Population Data | WeGIA's users are often charitable institutions managing data for vulnerable individuals — a breach carries elevated humanitarian risk |
Remediation
Upgrade to WeGIA 3.6.10
# Pull the latest release from GitHub
git clone https://github.com/WeGIA/WeGIA.git
cd WeGIA
git checkout v3.6.10
# Or download the release archive directly
# https://github.com/WeGIA/WeGIA/releases/tag/v3.6.10Immediate Mitigations (if patching is delayed)
-
Remove or replace
extract($_REQUEST)— replace with explicit variable assignments to eliminate the root cause:// Instead of: extract($_REQUEST); $cpf_usuario = $_SESSION['cpf_usuario']; // always use session, never request -
Use parameterized queries throughout
UsuarioDAO.php— ensure all PDO interactions use bound parameters -
Restrict access to the vulnerable endpoint to known internal IP ranges if the panel is not internet-facing
-
Audit all PHP files for additional uses of
extract()on user-controlled superglobals — this pattern is likely present elsewhere in the codebase
Detection
| Indicator | Description |
|---|---|
Unexpected cpf_usuario POST parameters | Requests with SQL metacharacters in the cpf_usuario field |
| Database errors in application logs | SQL syntax errors indicating injection attempts |
| Session identity mismatches | Auth logs showing privilege changes inconsistent with user roles |
| Access to admin-only endpoints from low-privilege accounts | Privilege escalation via session override |
Post-Remediation Checklist
- Upgrade all WeGIA instances to 3.6.10 or later
- Audit all uses of
extract()on$_REQUEST,$_POST, or$_GETin the codebase - Review database logs for anomalous queries during the vulnerability window
- Rotate credentials for all user accounts if unauthorized access is suspected
- Notify beneficiaries if personal data was accessed, per applicable data protection obligations
- Enable WAF rules to block SQL injection patterns at the perimeter