{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0603", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-01-05T13:18:55.616Z", "datePublished": "2026-01-23T06:31:38.975Z", "dateUpdated": "2026-01-23T07:13:43.935Z"}, "containers": {"cna": {"title": "Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service."}], "affected": [{"versions": [{"status": "affected", "version": "5.2.8", "versionType": "semver", "lessThanOrEqual": "5.6.15"}], "packageName": "org.hibernate/hibernate-core", "collectionURL": "https://github.com/hibernate/hibernate-orm", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat AMQ Broker 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:amq_broker:7"]}, {"vendor": "Red Hat", "product": "Red Hat build of OptaPlanner 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:optaplanner:::el6"]}, {"vendor": "Red Hat", "product": "Red Hat Data Grid 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "hibernate-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift AI (RHOAI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhoai/odh-trustyai-service-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_ai"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift AI (RHOAI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhoai/odh-trustyai-service-rhel9", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_ai"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Dev Spaces", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "devspaces/openvsx-rhel9", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_devspaces:3"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Dev Spaces", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "devspaces/pluginregistry-rhel9", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openshift_devspaces:3"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "candlepin", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:satellite:6"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "satellite:el8/candlepin", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:satellite:6"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "hibernate-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-0603", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147", "name": "RHBZ#2427147", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-01-19T10:10:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2026-01-05T13:12:29.816000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-19T10:10:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Christiaan Swiers (YouGina) and Tommy Williams (HeroDevs) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-23T07:13:43.935Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service."}], "id": "CVE-2026-0603", "lastModified": "2026-01-23T07:15:53.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-01-23T07:15:53.660", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-0603"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Christiaan Swiers (YouGina) and Tommy Williams (HeroDevs) for reporting this issue.", "bugzilla": {"description": "org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection", "id": "2427147", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-89", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-0603", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "hibernate-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-01-19T10:10:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0603\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0603"], "statement": "This vulnerability is rated Important for Red Hat products as it allows a remote attacker with low privileges to perform second-order SQL injection in applications using Hibernate's InlineIdsOrClauseBuilder with unsanitized non-alphanumeric characters in the ID column. This could lead to sensitive information disclosure and data manipulation or deletion.", "threat_severity": "Important"}