VYPR
← All advisories
High severity8.5NVD Advisory· Published May 31, 2026

CVE-2026-49489

CVE-2026-49489

Description

OpenCATS <=0.9.7.4 has a SQL injection flaw in the DataGrid sortDirection parameter allowing authenticated attackers to exfiltrate database contents via time-based blind injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenCATS <=0.9.7.4 has a SQL injection flaw in the DataGrid sortDirection parameter allowing authenticated attackers to exfiltrate database contents via time-based blind injection.

Vulnerability

OpenCATS through version 0.9.7.4 contains a SQL injection vulnerability in the sortDirection parameter of the DataGrid component. The parameter is concatenated directly into SQL without validation in lib/DataGrid.php at line 1363 [2]. The entry point is ajax/getDataGridPager.php line 44, which passes $_REQUEST['p'] (JSON) directly to DataGrid::get() [2]. While the sortBy parameter is validated against a whitelist, sortDirection is not [2]. Any authenticated user can trigger the vulnerable code path.

Exploitation

An attacker must be an authenticated user of the OpenCATS application. They send a crafted HTTP request to the ajax.php endpoint with action getDataGridPager and a JSON payload containing a malicious sortDirection value. The attacker uses time-based blind injection with IF() and SLEEP() clauses within a subquery to infer data bit by bit [2][3]. The database used is MariaDB 10.6.25, and mysqli_query() is single-statement, preventing UNION or write operations but enabling full data extraction via binary search [2].

Impact

Successful exploitation allows an authenticated attacker to extract arbitrary database contents, including user credentials (usernames, password hashes, access levels), database version, and database name [2][3]. The impact is high on confidentiality (exposure of sensitive authentication data) and low on availability because the injection uses SLEEP() which can cause slight delay but no denial of service [4]. The vulnerability does not allow writes or direct command execution.

Mitigation

OpenCATS has not released a patched version; the latest affected version is 0.9.7.4 [1][2][3][4]. No official fix or workaround is available in the public references. Users should limit authentication to trusted personnel and monitor for anomalous SQL delays. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Packet Storm
  2. SQL Injection in DataGrid sortDirection parameter
  3. OffSec’s Exploit Database Archive
  4. OpenCATS - SQL Injection in DataGrid sortDirection Parameter

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Opencats/Opencatsinferred2 versions
    <=0.9.7.4+ 1 more
    • (no CPE)range: <=0.9.7.4
    • (no CPE)range: <=0.9.7.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation on the sortDirection parameter allows direct concatenation into an SQL ORDER BY clause."

Attack vector

An authenticated attacker sends a GET request to `ajax.php` with `f=getDataGridPager` and a JSON payload in the `p` parameter containing a malicious `sortDirection` value [ref_id=1]. Because `sortDirection` is concatenated unsanitized into the SQL query, the attacker can inject subqueries such as `DESC,IF((SELECT password FROM user LIMIT 0,1)>'a',SLEEP(1.5),0)` to perform time-based blind SQL injection [ref_id=1]. The `mysqli_query()` function is single-statement, preventing writes or UNION queries, but subquery-based data extraction via `IF()`/`SLEEP()` binary search is fully effective [ref_id=1]. The attack requires only one GET request per probe, works on the default configuration, and any authenticated user can exploit it [ref_id=1].

Affected code

The vulnerability resides in `lib/DataGrid.php` at line 1363, where the `sortDirection` parameter is concatenated directly into an SQL `ORDER BY` clause without validation [ref_id=1]. The entry point is `ajax/getDataGridPager.php` line 44, which passes the JSON-decoded `$_REQUEST['p']` parameter (including `sortDirection`) to `DataGrid::get()` [ref_id=1]. While the `sortBy` parameter is validated against a whitelist, `sortDirection` receives no sanitization [ref_id=1].

What the fix does

No patch is published in the bundle. The advisory recommends validating the `sortDirection` parameter against a whitelist (e.g., only allowing `ASC` or `DESC`), similar to how `sortBy` is already validated [ref_id=1]. The remediation should be applied in `lib/DataGrid.php` at line 1363, where the `$this->_parameters['sortDirection']` value is concatenated into the SQL string [ref_id=1]. Until a fix is applied, users should restrict access to the DataGrid functionality or apply input validation at the application level.

Preconditions

  • authAttacker must be an authenticated user of the OpenCATS application
  • networkAttacker must be able to reach the ajax.php endpoint over the network
  • configNo special configuration required; works on default installation

Reproduction

1. Start the Docker environment: `cd poc && docker compose up -d --build` (wait ~10 seconds) [ref_id=1]. 2. Run the PoC script: `python -u poc.py` (defaults to `http://localhost:8888`, user `admin`, password `cats`) [ref_id=1]. 3. The script confirms injection by measuring baseline vs. sleep timing, then extracts the database version, database name, user count, and each user's name, access level, and password hash via time-based blind SQL injection [ref_id=1]. 4. Verify extracted data: `docker exec poc-db-1 mysql -uopencats -popencats123 opencats -e "SELECT user_name, access_level, password FROM user;"` [ref_id=1].

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.