Skip to main content

Hibernate. CVE-2026-0603

HIGH
SQL Injection (CWE-89)
2026-01-23 secalert@redhat.com GHSA-2p5w-cvg5-gc5c
8.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 23, 2026 - 07:15 nvd
HIGH 8.3

DescriptionCVE.org

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

AnalysisAI

Hibernate's InlineIdsOrClauseBuilder is vulnerable to second-order SQL injection when processing non-alphanumeric characters in ID columns, allowing authenticated attackers to read sensitive data, modify database contents, or cause denial of service. The vulnerability requires low privileges and network access with no user interaction, making it exploitable by remote attackers with valid credentials. No patch is currently available.

Technical ContextAI

Classified as CWE-89 (SQL Injection). A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

Affected ProductsAI

Component: an application level denial of.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-0603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy