How is CVE-2026-49490 exploited?

Network reachability (required): The vulnerable DataGrid endpoint is exposed over the network, so the attacker must be able to reach the OpenCATS service via HTTP or HTTPS. Authentication (required): Any low-privilege account is sufficient; no administrative rights are needed to send crafted filter requests to the Candidates DataGrid. Victim interaction (not-required): The attacker sends requests directly to the server and does not need any other user to take an action. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, memory layout dependencies, or other environmental factors need to align for the injection to succeed.

What is the impact of CVE-2026-49490?

Reads all data stored in the OpenCATS database, including candidate records, contact details, resumes, and stored credentials or session tokens. Modifies or deletes persisted database rows, including candidate profiles, job pipeline data, and user account information. Enables privilege escalation within the application by overwriting user role or password data directly in the database.

Back to search

HIGHCVE-2026-49490Published 2026-05-31Modified 2026-05-31CNA VulnCheck

CVE-2026-49490: OpenCATS - SQL Injection in DataGrid Filter Handling for Tags Column

OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.

HarborGuard Analysis

HarborGuard analysis

Synopsis

SQL injection in OpenCATS affects the DataGrid filter handling for the Candidates module, reachable over the network by any authenticated user. An attacker with a low-privilege account can craft a malicious filter request targeting the Tags column to bypass filterable-column restrictions and execute arbitrary SQL queries against the underlying database. Successful exploitation gives the attacker full read and write access to database contents. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that package OpenCATS. No manual feed configuration is required for coverage to apply.

Available

Triage

HarborGuard scores this finding at CVSS 8.6 HIGH using the published v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once an upstream fix exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable DataGrid endpoint is exposed over the network, so the attacker must be able to reach the OpenCATS service via HTTP or HTTPS.
AuthenticationRequired
Any low-privilege account is sufficient; no administrative rights are needed to send crafted filter requests to the Candidates DataGrid.
Victim interactionNot required
The attacker sends requests directly to the server and does not need any other user to take an action.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout dependencies, or other environmental factors need to align for the injection to succeed.

Blast Radius

Reads all data stored in the OpenCATS database, including candidate records, contact details, resumes, and stored credentials or session tokens.
Modifies or deletes persisted database rows, including candidate profiles, job pipeline data, and user account information.
Enables privilege escalation within the application by overwriting user role or password data directly in the database.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against images in customer registries and pipelines as of its publication date, with findings scored at CVSS 8.6 HIGH and routed per each organization's compliance policy. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a remediated OpenCATS release is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict OpenCATS access to trusted internal IP ranges, egress filtering to prevent out-of-band SQL exfiltration techniques, and application-layer WAF rules that block abnormal filter parameter patterns on the Candidates DataGrid endpoint.

See how HarborGuard automates this

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

OpenCATS / OpenCATS
≤ 0.9.1a

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References