OpenCATS, the open-source applicant tracking system, has a high-severity SQL injection vulnerability (GHSA-gmpc-j6h7-vw74 / CVE-2026-49490) in its DataGrid filter-handling mechanism, putting sensitive recruitment data at serious risk of unauthorized access and manipulation.
Disclosed on April 23, 2026, by security researcher anonymoususer72041 through GitHub’s security advisory program, the vulnerability affects all OpenCATS releases from version 0.9.1a onward, with no patch currently available.
The flaw carries a CVSS v3.1 base score of 8.6 and has been classified as High severity, demanding immediate attention from organizations running the platform.
OpenCATS is a widely deployed open-source applicant tracking system (ATS) used by businesses and HR departments globally to manage job postings, candidate pipelines, and recruitment workflows.
Because it stores highly sensitive personal data including resumes, contact information, employment history, and internal hiring notes any SQL injection vulnerability within its core modules represents a critical threat to organizational data privacy and integrity.
The flaw lies in the server-side filter-processing logic of the Candidates DataGrid component. In OpenCATS’s DataGrid configuration, certain columns are explicitly marked as filterable => false to prevent users from applying filter queries against them. The “Tags” column in the Candidates DataGrid is one such non-filterable column.
However, despite this designation, the server-side code still exposes filter metadata for the Tags column and processes crafted filter input targeting it.
An authenticated attacker can manipulate HTTP requests to inject arbitrary SQL commands through the Tags column filter parameter, effectively bypassing the column’s non-filterable restriction.
Because the server never validates whether a requested filter column is permitted before processing the filter logic, the injected SQL reaches the underlying database engine without sanitization.
The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the industry-standard classification for SQL injection weaknesses.
According to MITRE, this class of flaw occurs when a product constructs SQL statements using externally supplied input without adequately sanitizing special characters that could alter the intended query.
| Parameter | Detail |
|---|---|
| Advisory ID | GHSA-gmpc-j6h7-vw74 / CVE-2026-49490 |
| CVSS Score | 8.6 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (Authenticated) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
| Affected Versions | >= 0.9.1a |
| Patched Version | None available |
| CWE | CWE-89 |
The low attack complexity rating is particularly alarming — a threat actor needs only a valid low-privilege account and network access to the DataGrid endpoint to exploit this flaw. No additional user interaction or advanced tooling is required.
A successful exploit allows an authenticated attacker to inject and execute arbitrary SQL queries against the OpenCATS backend database. This translates to a range of high-impact outcomes:
- Exfiltrate candidate records — names, emails, phone numbers, resumes, and private recruiter notes
- Dump credential data — hashed passwords or session tokens stored in the database
- Manipulate hiring records — modify, insert, or delete candidate and job data
- Enumerate database structure — map table schemas to enable further lateral attacks
- Pivot to broader infrastructure — use leaked database credentials for lateral movement
This is compounded by the fact that OpenCATS instances are frequently exposed to internal networks or even the public internet, widening the potential attacker pool to any user with a standard account.
Notably, a separate but related SQL injection (CVE-2026-49489) was simultaneously disclosed, affecting the sortDirection parameter in OpenCATS’s ajax/getDataGridPager.php endpoint, enabling time-based blind injection attacks confirming a pattern of insufficient input sanitization across the DataGrid module.
Mitigation
As of publication, no official patch exists for GHSA-gmpc-j6h7-vw74 / CVE-2026-49490. The OpenCATS maintainers have been notified, and the fix involves enforcing server-side validation that skips filter processing entirely for columns marked as filterable => false Before any rendering logic executes.
Until an official fix is released, administrators should apply the following interim mitigations:
- Restrict DataGrid endpoint access to trusted, verified internal users only through firewall rules or authentication gating
- Monitor database query logs for anomalous SQL patterns, particularly those involving the Tags column filter parameters
- Audit user accounts with access to the Candidates DataGrid and revoke unnecessary permissions
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules targeting the affected endpoints
- Consider temporarily turning off the Candidates DataGrid module if the exposure risk is unacceptable
Organizations should closely monitor the OpenCATS GitHub repository for patch releases and apply updates immediately upon availability.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
