CVE-2026-0603

Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection

Description

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

INFO

Published Date :

2026-01-23T06:31:38.975Z

Last Modified :

2026-05-06T14:34:02.113Z

Source :

redhat

AFFECTED PRODUCTS

The following products are affected by CVE-2026-0603 vulnerability.

Vendors	Products
Redhat	Amq Broker Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Els Jboss Enterprise Application Platform Eus Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Openshift Ai Openshift Devspaces Optaplanner Red Hat Single Sign On Satellite

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-0603.

URL	Resource
https://access.redhat.com/errata/RHSA-2026:4915
https://access.redhat.com/errata/RHSA-2026:4916
https://access.redhat.com/errata/RHSA-2026:4917
https://access.redhat.com/errata/RHSA-2026:4924
https://access.redhat.com/errata/RHSA-2026:6011
https://access.redhat.com/errata/RHSA-2026:6012
https://access.redhat.com/security/cve/CVE-2026-0603
https://bugzilla.redhat.com/show_bug.cgi?id=2427147
https://nvd.nist.gov/vuln/detail/CVE-2026-0603
https://www.cve.org/CVERecord?id=CVE-2026-0603

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact