OpenCATS flaw exposes the entire candidate database (CVE-2026-49489)

OpenCATS, the open-source applicant tracking system used by staffing agencies and in-house recruiters, has a flaw that lets an attacker read the contents of its database: CVE-2026-49489 (CVSS 8.5). On version 0.9.7.4 and earlier, any user who can log in can read the candidate resumes, contact details, and interview notes stored in the database. A program (PoC) that automates the attack is already published on Exploit-DB.

SQL injection is a classic attack in which malicious database commands are smuggled in through ordinary input or page controls. Here, the injection point was left in the value that selects how a list is sorted. The issue was published on May 27, 2026 and is tracked as GitHub Security Advisory GHSA-8mc8-5gw6-c7w4, with VulnCheck as the assigning authority.

The catch is that 0.9.7.4 is also the current latest release. There is no official fixed version yet. Organizations that self-host OpenCATS need to apply operational mitigations now, while they wait for a patch.

What OpenCATS Is

OpenCATS is an applicant tracking system (ATS) that manages the whole hiring pipeline, from job postings to applications, screening, and offers. It dates back to the mid-2000s and is built on PHP and MySQL. It is typically self-hosted on a roughly $10/month VPS or a company server by small and mid-size staffing firms and recruiters who want to avoid per-seat SaaS fees. The GitHub repository has about 690 stars and 300 forks, and development is still active as of late May 2026.

That means what it stores is a concentrated pile of sensitive data: candidate names, email addresses, phone numbers, work histories, resume files, and interviewer evaluations — exactly the kind of personal information that data-protection laws are written to cover, and whose exposure typically triggers notification and reporting obligations. Candidates do not get to choose which software holds their information.

The Key to the Filing Cabinet Was Handed to Everyone With a Badge

A CVSS of 8.5 doesn't tell you who walks off with what. What makes this flaw dangerous comes down to one thing: the attack needs not "administrator rights" but merely "the ability to log in." It's worth naming who would want this, and what they take.

At a staffing firm, plenty of people can log in to OpenCATS: many recruiters, registered career advisers, contract recruiters, and former employees whose accounts were never deleted. The ones who come for it are rival agencies that want the entire candidate list, data brokers who resell job-seekers' contacts and current salaries as a roster, fraud rings that impersonate applicants to steal money, and ex-employees who log back in with an old ID to walk out with the client roster. What they carry off is every registered candidate's name, mobile number, and personal email, the PDF resumes, the raw notes an interviewer typed ("also interviewing elsewhere," "current salary 7M yen"), and the password hashes of the recruiter accounts themselves. The moment a crafted string is sent through that sort field even once, the contents of the registered candidate database are siphoned out wholesale.

Structurally, this is data exfiltration by insiders, or by anyone who has gained an insider foothold even once. The technique is a time-based blind SQL injection: even when no data appears on screen, the attacker sends commands like "if this condition is true, deliberately delay the database response by a few seconds," then infers the contents one character at a time from the timing. It looks tedious, but a Python script that does the whole job automatically is already on Exploit-DB, so an attacker can pull everything from the database name and table structure down to users' password hashes at the press of a button. Logging back in with a stolen administrator account puts not just reading but altering and deleting candidate data within reach.

What the "CVSS 8.5" label fails to convey is the real loss to a staffing firm. What leaks is not the company's own performance figures but the life details of individual job seekers who said "I trust you, so I'll talk to you about changing jobs" — and the instant that leaks, what the firm loses is the very foundation of the recruiting business: being a company you can entrust personal data to. Candidates can choose the firm, but not the software. That is exactly why the operator's preparations are what protect them.

What Is Happening (the Technical View)

The flaw is in the shared "DataGrid" component that powers list sorting and paging. Specifically, ajax/getDataGridPager.php, which handles AJAX requests, does not properly sanitize the sortDirection value it receives, so a crafted string sent through it reaches the database as unintended SQL. Because this value is only ever supposed to be "ascending or descending," the developers appear to have treated it as harmless and skipped validation.

The flaw was reported by Gabriel Rodrigues (TEXUGO) of the security research group HAKAI. The proof-of-concept he published first logs in to OpenCATS normally, then injects SQL combining IF() and SLEEP() into sortDirection, reading the database one character at a time based on whether the response is delayed. It is reported to have successfully extracted the database version, the database name, and users' usernames, access levels, and password hashes.

A separate SQL injection in the OpenCATS DataGrid (in the Tags column's filter handling, GHSA-gmpc-j6h7-vw74) was reported around the same time. Together with this sort-field issue, it means missing input validation remains in several places on the list screens. The developers have been shipping security fixes — adding authorization checks to AJAX endpoints on May 26, for example — but no release bundling these has been published yet.

What To Do Now

With no official fix released, the focus for now is on operational mitigations. If you run OpenCATS yourself, consider the following.

1. Stop exposing it directly to the internet. Keep OpenCATS behind your internal network, a VPN, or IP allow-listing, and avoid leaving the login page reachable by anyone from outside. Since this attack requires "the ability to log in," simply narrowing the path to it sharply reduces the attack surface.

2. Audit accounts. Everyone who can log in is a potential attacker. Remove unused accounts for former employees, partners, and testing, and limit access to people still actively using it. Assuming password hashes have been taken, consider resetting all users' passwords.

3. Monitor and block suspicious access. Use a WAF (web application firewall) to detect malicious strings in sortDirection and bursts of abnormally slow queries. Review access logs going back in time for floods of repeated requests to ajax.php.

4. Wait for the official fix and apply it immediately. Keep an eye on the releases page and security advisories, and apply the fixed version as soon as it ships.

An applicant tracking system is, from an attacker's point of view, a shelf where a large amount of personal data sits neatly in one place. To keep on top of flaws lurking in other tools you self-host, see our OSS Supply Chain Scanner. If your organization self-hosts an open-source recruiting tool, this is a good moment to review your exposure and account hygiene.

References

• ▸NVD - CVE-2026-49489 Detail
• ▸GitHub Security Advisory - GHSA-8mc8-5gw6-c7w4
• ▸Exploit-DB #52579 - OpenCATS 0.9.7.4 SQL Injection (Gabriel Rodrigues / HAKAI)
• ▸GitHub Security Advisory - GHSA-gmpc-j6h7-vw74 (DataGrid Tags SQLi)
• ▸OpenCATS official repository (GitHub)
• ▸OpenCATS Releases