OpenCATS SQL Injection (CVE-2026-49490) Allows Authenticated Database Access
The National Vulnerability Database has disclosed CVE-2026-49490, a high-severity SQL injection vulnerability affecting OpenCATS versions 0.9.1a and later. This flaw is present in the DataGrid filter handling, specifically allowing authenticated attackers to inject SQL through crafted filters. The critical aspect here is that attackers can bypass column filterable restrictions by manipulating filter requests, enabling them to execute arbitrary SQL queries against the underlying database.
This isn’t just a theoretical bypass; it’s a direct path to data exfiltration or manipulation for anyone with valid credentials. The vulnerability leverages the non-filterable ‘Tags’ column in the Candidates DataGrid, turning a seemingly innocuous feature into a critical attack vector. Given the authenticated nature, this threat escalates rapidly if internal accounts are compromised or if attackers gain initial access through other means.
For defenders, this means patching OpenCATS immediately is paramount. An attacker who can authenticate can own your data. This isn’t about complex zero-days; it’s about a fundamental input validation failure that gives a low-privileged attacker high-impact capabilities. Review your OpenCATS instances and ensure all patches are applied to mitigate this risk.
What This Means For You
- If your organization uses OpenCATS, specifically versions 0.9.1a or newer, you must prioritize patching for CVE-2026-49490 immediately. Authenticated attackers can exploit this SQL injection to execute arbitrary queries, leading to data compromise. Audit your OpenCATS logs for any unusual filter requests or database activity.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-49490 - OpenCATS SQL Injection via Tags Column Filter
title: CVE-2026-49490 - OpenCATS SQL Injection via Tags Column Filter
id: scw-2026-05-31-ai-1
status: experimental
level: critical
description: |
Detects the specific SQL injection pattern targeting the 'Tags' column in the Candidates DataGrid of OpenCATS, as described in CVE-2026-49490. This rule looks for requests to the dataGrid endpoint with a filter applied to the 'Tags' column that includes a common SQL injection payload like 'OR 1=1'.
author: SCW Feed Engine (AI-generated)
date: 2026-05-31
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-49490/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/index.php?m=candidates&a=dataGrid'
cs-uri-query|contains:
- 'filter[Tags]'
cs-uri-query|contains:
- 'OR 1=1'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-49490 | SQLi | OpenCATS versions from 0.9.1a |
| CVE-2026-49490 | SQLi | DataGrid filter handling |
| CVE-2026-49490 | SQLi | non-filterable Tags column in Candidates DataGrid |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 31, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-48209: OTRS XSS Exposes Agent Sessions to Attackers
CVE-2026-48209 — An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS)...
CVE-2026-48208 — Denial of Service
CVE-2026-48208 — An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG...
CVE-2026-48189 — OTRS Customer Backend Module Vulnerability
CVE-2026-48189 — An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note...