CVE-2026-49489: OpenCATS ATS SQL Injection via sortDirection Parameter

CVE-2026-49489: SQL Injection in OpenCATS via DataGrid sortDirection

A SQL injection vulnerability tracked as CVE-2026-49489 has been disclosed in OpenCATS, a popular open-source Applicant Tracking System (ATS). The flaw exists in the sortDirection parameter of the DataGrid component, accessible via ajax/getDataGridPager.php. Authenticated attackers can inject malicious SQL to perform time-based blind injection, enabling extraction of the full database contents.

The vulnerability was published on May 31, 2026, with a CVSS v3.1 score of 8.5 (High).

Vulnerability Overview

Affected Products

OpenCATS is a widely deployed open-source ATS used by HR departments, recruiting agencies, and enterprises to manage job applications, candidate pipelines, and hiring workflows. The software stores sensitive information including applicant resumes, personal contact details, employment history, and internal recruiter notes.

Technical Details

Root Cause

The DataGrid component in OpenCATS provides paginated, sortable data tables used throughout the application. The sortDirection parameter controls the sort order (ASC or DESC) for query results. The parameter is passed directly into a SQL ORDER BY clause without sanitization:

// Vulnerable pattern in getDataGridPager.php
$sortDirection = $_GET['sortDirection']; // or POST
$query = "SELECT * FROM candidates ORDER BY last_name " . $sortDirection . " LIMIT ...";

ORDER BY clauses are not parameterizable in standard SQL — prepared statements cannot be used to bind ORDER BY direction. This requires explicit allowlist validation, which is absent in the vulnerable code.

Exploitation

Time-Based Blind Injection

The vulnerability supports time-based blind injection, allowing attackers to extract data character by character by measuring response delays:

GET /ajax/getDataGridPager.php?sortDirection=ASC%20AND%20SLEEP(5)--

A 5-second delay in the response confirms the injection is successful.

Automated Extraction with sqlmap

sqlmap -u "http://target/ajax/getDataGridPager.php?sortDirection=ASC" \
  --technique=T \
  --cookie="PHPSESSID=<session>" \
  --dbs \
  --level=3

Data Available for Extraction

From the OpenCATS database schema, an attacker can access:

• candidates — Full applicant profiles including names, emails, phone numbers, addresses
• user — System user credentials (username, password hashes, email)
• joborder — Open and closed job postings with internal notes
• activity — Recruiter activity logs and communication history
• attachment — Resume and document file references

Why ORDER BY Injection is Underestimated

SQL injection via ORDER BY parameters is frequently overlooked during code reviews and security audits because:

1. It cannot be mitigated with standard parameterized query patterns
2. Developers often assume only WHERE clauses require sanitization
3. The parameter appears innocuous — it accepts only ASC or DESC in normal use
4. Automated scanners may miss it if they focus on error-based or union-based payloads

The correct fix is a whitelist validation before the value reaches any query:

// Secure replacement
$allowedDirections = ['ASC', 'DESC'];
$sortDirection = strtoupper($_GET['sortDirection'] ?? 'ASC');
if (!in_array($sortDirection, $allowedDirections, true)) {
    $sortDirection = 'ASC';
}

Impact Assessment

Remediation

Fix the sortDirection Parameter

The immediate fix is allowlist validation of the sortDirection parameter before it is used in any database query:

$allowed = ['ASC', 'DESC'];
$dir = strtoupper(trim($_REQUEST['sortDirection'] ?? 'ASC'));
$sortDirection = in_array($dir, $allowed, true) ? $dir : 'ASC';

Audit All DataGrid Usages

The getDataGridPager.php file may be used by multiple DataGrid instances across the application. Audit every caller to verify that all sort column and direction parameters are validated before use in SQL.

Additional Hardening

1. Upgrade OpenCATS — Check the official OpenCATS GitHub repository for patches addressing CVE-2026-49489
2. Enable query logging — Review MySQL/MariaDB slow query logs for anomalous patterns such as SLEEP() calls
3. Apply a WAF rule — Block requests where sortDirection contains characters beyond [A-Za-z]
4. Review related parameters — The sortColumn parameter (which controls the ORDER BY column) may be similarly vulnerable and should be audited alongside sortDirection

OpenCATS in Production Environments

OpenCATS is often self-hosted by organizations that lack dedicated security teams. Many deployments run outdated versions with limited monitoring. Factors that increase real-world risk include:

• Public-facing deployments — Recruiting portals are often internet-accessible for external applicants
• Long-lived sessions — If an attacker obtains any user's session cookie, exploitation is straightforward
• Rich data stores — ATS databases are high-value targets for data brokers, competitors, and ransomware operators

Key Takeaways

1. CVE-2026-49489 is a CVSS 8.5 time-based blind SQL injection in OpenCATS through version 0.9.7.4
2. The vulnerable parameter is sortDirection in ajax/getDataGridPager.php — an ORDER BY injection, which cannot be fixed with prepared statements alone
3. The fix requires allowlist validation of the sort direction value before it reaches the query
4. Exploitation is straightforward for authenticated users and fully automatable
5. ATS databases contain highly sensitive applicant PII — organizations should treat this as a priority remediation

Sources

• CVE-2026-49489 — NIST NVD
• OpenCATS GitHub Repository