Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql...

8.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Description

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

Basic Information

ID CVE-2026-0603

Source redhat

Published Jan 23, 2026 at 06:31

Modified Jan 24, 2026 at 04:55

Affected Product

Version 5.2.8

Affected Versions 5.2.8

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.",
    "published": "2026-01-23T06:31:38.975Z",
    "modified": "2026-01-24T04:55:24.337Z",
    "type": "cve",
    "title": "Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection",
    "source": "redhat",
    "references": "https://access.redhat.com/security/cve/CVE-2026-0603\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2427147",
    "id": "CVE-2026-0603",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "  5.2.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "",
    "version": "5.2.8",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection_CVE-2026-0603