CVE-2026-0603
Description
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hibernate InlineIdsOrClauseBuilder fails to sanitize non-alphanumeric ID characters, enabling a second-order SQL injection that can lead to data disclosure or denial of service.
Vulnerability
Description
A second-order SQL injection flaw exists in Hibernate's InlineIdsOrClauseBuilder. The root cause is the insufficient sanitization of non-alphanumeric characters supplied in the ID column. When specially crafted input is processed, the builder does not properly escape or validate these characters, allowing them to be interpreted as SQL operators or identifiers in subsequent queries [1][2].
Exploitation
Details
An attacker with low privileges can exploit this flaw remotely. The vulnerability is classified as second-order because the malicious input is stored or passed through intermediate processing before reaching a vulnerable query path. No special network position is required beyond authenticated access to an application that uses the affected Hibernate component. The attacker must be able to control the value of a column used as an ID in queries that employ InlineIdsOrClauseBuilder [1][2].
Impact
Successful exploitation can result in the reading of sensitive system files, indicating potential access to arbitrary file contents through database functions like LOAD_FILE. Additionally, the attacker may be able to manipulate or delete data within the application's database. This data integrity impact, combined with the potential for extensive resource consumption from injected queries, leads to an application-level denial of service [1][2].
Mitigation
Red Hat has released errata advisories that include updated Hibernate packages (e.g., eap7-hibernate-5.3.38-1.Final_redhat_00001.1) for Red Hat Enterprise Linux 7, 8, and 9, as well as Red Hat JBoss Enterprise Application Platform [2][3][4]. Organizations should apply these updates promptly to remediate the vulnerability. No workarounds are documented in the provided references.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.hibernate:hibernate-coreMaven | >= 5.2.8, <= 5.6.15 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-2p5w-cvg5-gc5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0603ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:4915nvdWEB
- access.redhat.com/errata/RHSA-2026:4916nvdWEB
- access.redhat.com/errata/RHSA-2026:4917nvdWEB
- access.redhat.com/errata/RHSA-2026:4924nvdWEB
- access.redhat.com/errata/RHSA-2026:6011nvdWEB
- access.redhat.com/errata/RHSA-2026:6012nvdWEB
- access.redhat.com/security/cve/CVE-2026-0603nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
News mentions
0No linked articles in our index yet.