Description
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
Published: 2026-01-23
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Data disclosure, manipulation, and potential denial of service
Action: Immediate Patch
AI Analysis

Impact

A second‑order SQL injection flaw exists in Hibernate’s InlineIdsOrClauseBuilder component. An attacker who can submit specially crafted, non‑alphanumeric input into the ID column can cause the application to execute unintended SQL commands. This can expose sensitive system files or application data, permit unauthorized data modification or deletion, and ultimately lead to an application‑level denial of service. The vulnerability is classified as CWE‑89 and attained a CVSS score of 8.3, indicating high severity.

Affected Systems

The issue affects several Red Hat products that embed the vulnerable Hibernate core, including Red Hat AMQ Broker 7, Red Hat Data Grid 8, Red Hat Fuse 7, multiple versions of Red Hat JBoss Enterprise Application Platform (7.x and 8), Red Hat OpenShift AI and Dev Spaces, Red Hat Process Automation 7, Red Hat Satellite 6, Red Hat Single Sign‑On 7, and the Red Hat build of OptaPlanner 8. Affected versions are those listed in the CNA errata (RHSA‑2026:4915 through RHSA‑2026:6012).

Risk and Exploitability

With a CVSS score of 8.3 and an EPSS score of < 1%, the vulnerability poses a high risk, but the probability of exploitation remains very low. A remote attacker with only low privileges could trigger it over the network by submitting crafted input to a specific API or web form that passes unsanitized values to Hibernate. Because the product set is broad and widely deployed in enterprise environments, the impact could be significant if the defect is not remediated. The vulnerability is not listed in the CISA catalog.

Generated by OpenCVE AI on April 18, 2026 at 15:15 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat errata updates listed in the CNA references (RHSA‑2026:4915, RHSA‑2026:4916, RHSA‑2026:4917, RHSA‑2026:4924, RHSA‑2026:6011, RHSA‑2026:6012) to patch the vulnerable Hibernate component
  • No workaround is available; rely on patching as the only mitigation
  • Disable or restrict any input paths that allow dynamic ID injection until the patch is applied
  • Implement database role isolation to limit the privileges of application accounts, reducing the impact scope if injection succeeds

Generated by OpenCVE AI on April 18, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2p5w-cvg5-gc5c Hibernate vulnerable to SQL Injection
History

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform Eus
CPEs cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products Redhat jboss Enterprise Application Platform Eus
References

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform Els
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4
cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el8
cpe:/a:redhat:jboss_enterprise_application_platform_els:7.4::el9
Vendors & Products Redhat jboss Enterprise Application Platform Els
References

Fri, 23 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
Title org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection
First Time appeared Redhat
Redhat amq Broker
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat openshift Ai
Redhat openshift Devspaces
Redhat optaplanner
Redhat red Hat Single Sign On
Redhat satellite
CPEs cpe:/a:redhat:amq_broker:7
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:openshift_ai
cpe:/a:redhat:openshift_devspaces:3
cpe:/a:redhat:optaplanner:::el6
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/a:redhat:satellite:6
Vendors & Products Redhat
Redhat amq Broker
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat openshift Ai
Redhat openshift Devspaces
Redhat optaplanner
Redhat red Hat Single Sign On
Redhat satellite
References

Tue, 20 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection
Weaknesses CWE-89
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

threat_severity

Important

Subscriptions

Redhat Amq Broker Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Els Jboss Enterprise Application Platform Eus Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Openshift Ai Openshift Devspaces Optaplanner Red Hat Single Sign On Satellite
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-30T11:01:34.248Z

Reserved: 2026-01-05T13:18:55.616Z

Link: CVE-2026-0603

cve-icon Vulnrichment

Updated: 2026-01-23T15:33:32.484Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T07:15:53.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0603

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-19T10:10:00Z

Links: CVE-2026-0603 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses