Executive Summary

CVE-2026-49490 is a high-severity SQL injection vulnerability found in OpenCATS versions up to and including 0.9.1a. It affects the DataGrid filter handling mechanism, specifically targeting the non-filterable Tags column in the Candidates DataGrid.

The vulnerability allows authenticated attackers to bypass the intended filter restrictions by crafting malicious filter requests that inject arbitrary SQL commands through the Tags column, which is supposed to be non-filterable.

This happens because the server-side processing does not properly neutralize special elements in SQL commands, leading to the execution of arbitrary SQL queries against the database.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized execution of arbitrary SQL queries on the database.

• Attackers can bypass filter restrictions to access or manipulate sensitive data.
• It can compromise the confidentiality and integrity of the database.
• Since the attacker must be authenticated, it poses a risk from insider threats or compromised accounts.
• There is no patch available yet, so mitigation is limited to restricting access to affected endpoints, which does not fully resolve the issue.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves SQL injection through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid of OpenCATS. Detection would involve monitoring or testing for unusual or crafted filter requests sent to the DataGrid endpoint that manipulate the Tags column filter parameter.

Since the vulnerability requires authenticated access, detection commands or tests should be performed with valid credentials.

A possible approach is to use tools like curl or Burp Suite to send crafted HTTP requests to the DataGrid filter endpoint, attempting to inject SQL payloads in the filter parameter for the Tags column and observe if the server responds with SQL errors or unexpected data.

• Example curl command to test injection (replace URL and authentication accordingly):
• curl -X POST -d 'filter[Tags]=1 OR 1=1--' -b 'session=your_auth_cookie' https://your-opencats-instance/DataGridEndpoint

If the response contains SQL errors or returns data that should be restricted, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected DataGrid endpoints to only trusted and authenticated users, as the vulnerability requires authentication.

Since there is currently no patch available, administrators should limit user permissions and monitor for suspicious activity involving the Candidates DataGrid filter functionality.

Additionally, consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the Tags column filter.

Plan to upgrade OpenCATS to a fixed version once a patch is released.

Useful 0 Not Useful 0

Compliance Impact

The SQL injection vulnerability in OpenCATS allows authenticated attackers to execute arbitrary SQL queries, potentially compromising the confidentiality and integrity of sensitive data stored in the database.

Such a compromise can lead to unauthorized access or manipulation of personal or protected health information, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding data confidentiality and integrity.

Therefore, this vulnerability poses a significant risk to compliance with these common standards and regulations by exposing sensitive data to unauthorized access or alteration.

Useful 0 Not Useful 0