A high-severity SQL injection vulnerability has been discovered in OpenCATS, the widely used open-source applicant tracking system, allowing authenticated attackers to exfiltrate or manipulate sensitive candidate database records through a crafted filter bypass targeting a non-filterable Tags column.
Security researcher anonymoususer72041 published advisory GHSA-gmpc-j6h7-vw74 on April 23, 2026, revealing that OpenCATS versions 0.9.1a and later are affected, with no officially patched release available as of this writing.
The vulnerability has been classified as High severity under the CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) weakness category, carrying a CVSS v3.1 base score with High impact on confidentiality and integrity.
At the heart of this vulnerability is a fundamental flaw in how OpenCATS handles server-side DataGrid filter processing. The Candidates DataGrid includes a “Tags” column that is explicitly marked with filterable => false in the column configuration a developer-level control intended to prevent that column from being used as a queryable filter.
However, OpenCATS fails to enforce this restriction at the server-side filter processing layer. The application still exposes filter metadata for non-filterable columns and accepts crafted filter input targeting those columns through manipulated HTTP requests.
This means an attacker can send a specially crafted request that references the Tags column as a filter parameter, and the back-end SQL engine will process it, injecting arbitrary SQL commands into the query.
This class of vulnerability, in which UI-layer restrictions are not mirrored by server-side enforcement, is a classic and dangerous misconfiguration.
The attacker never needs to touch the front-end interface; they only need network access to the DataGrid endpoint and valid credentials.
The vulnerability carries a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, which translates to a straightforward and alarming risk profile:
| CVSS Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
The low attack complexity means no advanced exploitation skills are required. Any low-privileged user, such as a recruiter or HR staff member with a valid login, can potentially exploit this flaw.
The high confidentiality and integrity impact means attackers can both read sensitive candidate data (names, resumes, contact details, employment history) and modify or delete database records.
Notably, this vulnerability has no CVE identifier assigned at this time, which means it may not yet appear in mainstream vulnerability scanners that rely solely on CVE feeds, increasing the risk of unpatched deployments going undetected.
This disclosure is part of the OpenCATS platform’s growing security track record. In May 2026, a separate remote code execution (RCE) vulnerability in OpenCATS 0.9.4 was disclosed (GHSA-6w77-cp2c-mfxq).
Allowing unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments through the careers job application endpoint.
In April 2026, another critical flaw, CVE-2026-27760, was published, revealing that OpenCATS’ installer AJAX endpoint allowed unauthenticated PHP code injection that persisted in config.php and executed on every subsequent page load.
The pattern is clear: OpenCATS has systemic deficiencies in input validation and server-side enforcement across multiple endpoints.
Security teams running OpenCATS in production, particularly HR departments and staffing agencies handling thousands of candidate records, face compounding risk from these cascading vulnerabilities.
As of the advisory publication, no patched release exists for GHSA-gmpc-j6h7-vw74. The vendor’s recommended fix involves skipping server-side filter processing for all columns marked as non-filterable before any rendering logic executes a straightforward but not yet released code-level fix.
Until a patch is available, administrators should take the following steps:
- Restrict DataGrid endpoint access to only highly trusted, administratively verified users; do not expose the Candidates DataGrid to general authenticated users
- Implement a Web Application Firewall (WAF) with SQL injection detection rules targeting filter parameters in OpenCATS requests.
- Monitor database query logs for anomalous filter-based queries referencing the Tags column.
- Audit user accounts with access to the Candidates module and immediately revoke low-privilege accounts that do not require DataGrid access.
- Consider temporarily turning off the Candidates DataGrid endpoint until a fix is issued if your threat model cannot tolerate the risk.
Administrators should note that the vendor explicitly warns that there is no complete application-level workaround; access restrictions reduce exposure but do not eliminate the vulnerability.
FAQ
Q1. Who is affected by the OpenCATS GHSA-gmpc-j6h7-vw74 SQL injection vulnerability?
All OpenCATS deployments running version 0.9.1a or later are affected, and no patched version is currently available.
Q2. Does an attacker need admin privileges to exploit this flaw?
No, only low-level authenticated access (e.g., a standard recruiter login) is required to reach the Candidates DataGrid endpoint and inject SQL.
Q3. What data is at risk from this SQL injection attack?
Candidate records, including personal information, resumes, employment history, and any database content accessible via the back-end SQL context, are at risk, with both confidentiality and integrity rated High.
Q4. Is there a CVE assigned to this OpenCATS SQL injection vulnerability?
No CVE identifier has been assigned as of the advisory date, so automated vulnerability scanners that rely solely on CVE databases may not flag this flaw.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
