📄 Hibernate ORM 5.6.15 SQL Injection_PACKETSTORM:220500

8.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Description

Hibernate ORM versions 5.6.15 and below suffer from a remote SQL injection vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:220500

Published May 6, 2026 at 00:00

Affected Product

Affected Versions # CVE-2026-0603 Hibernate ORM Injection / Second-Order SQL Injection

★ CVE-2026-0603 Hibernate SQL Injection PoC ★

https://github.com/user-attachments/assets/2e7c3a89-e26f-48cd-af0b-8b82d32ce71f

 

# Overview
> **CVE-2026-0603** is a **Second-Order SQL Injection** vulnerability in **Hibernate ORM**, a widely used Java ORM framework.
> When a user-supplied string primary key containing a malicious SQL payload is used in a bulk DELETE or UPDATE operation, Hibernate inserts the value directly into the WHERE clause without sanitization, causing **unintended mass deletion or modification of database records**.

 

# Affected Versions
| Category | Version |
|---|---|
| **Vulnerable** | Hibernate ORM **5.2.8 ≤ version ≤ 5.6.15** |
| **Patched** | No official patch **(5.6.x EOL)** |

 

# Impact
- Mass deletion of records across multiple tables
- Mass modification of records across multiple tables
- Potential exfiltration of sensitive data from the database

 

# Environment
```bash
docker build -t cve-2026-0603-hibernate-vuln .
docker run --rm -it -p 8080:8080 --name hibernate-vuln cve-2026-0603-hibernate-vuln
```

 

# PoC
After starting the vulnerable environment, follow the steps below to reproduce the attack.

## Step 1. Register with a malicious username
```bash
username: ' or '1' = '1
```

## Step 2. Trigger update or delete
Click the update or delete button on the registered account.

## Step 3. Confirm all user data is affected
Verify that the DELETE or UPDATE query was applied to all rows, not just the registered account.
For DELETE, all records across both tables are removed.
For UPDATE, all records are modified with the attacker-supplied values.

 

# Mitigation
- Remove the `InlineIdsOrClauseBulkIdStrategy` setting from `application.yml`
- If `InlineIdsOrClauseBulkIdStrategy` must be used, apply strict **whitelist-based input validation** on any user-supplied primary key values to reject SQL control characters

 

# Analysis
- KR: https://www.skshieldus.com/security-insights/reports/eqst-orm-injection-explained
- EN:

{
    "lastseen": "2026-05-06T16:46:31",
    "description": "Hibernate ORM versions 5.6.15 and below suffer from a remote SQL injection vulnerability...",
    "published": "2026-05-06T00:00:00",
    "modified": "2026-05-06T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Hibernate ORM 5.6.15 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220500",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-0603"
    ],
    "sourceData": "# CVE-2026-0603 Hibernate ORM Injection / Second-Order SQL Injection\n    \n    \u2605 CVE-2026-0603 Hibernate SQL Injection PoC \u2605\n    \n    https://github.com/user-attachments/assets/2e7c3a89-e26f-48cd-af0b-8b82d32ce71f\n    \n    <br>\n    \n    # Overview\n    > **CVE-2026-0603** is a **Second-Order SQL Injection** vulnerability in **Hibernate ORM**, a widely used Java ORM framework.  \n    > When a user-supplied string primary key containing a malicious SQL payload is used in a bulk DELETE or UPDATE operation, Hibernate inserts the value directly into the WHERE clause without sanitization, causing **unintended mass deletion or modification of database records**.\n    \n    <br>\n    \n    # Affected Versions\n    | Category | Version |\n    |---|---|\n    | **Vulnerable** | Hibernate ORM **5.2.8 \u2264 version \u2264 5.6.15** |\n    | **Patched** | No official patch **(5.6.x EOL)** |\n    \n    <br>\n    \n    # Impact\n    - Mass deletion of records across multiple tables\n    - Mass modification of records across multiple tables\n    - Potential exfiltration of sensitive data from the database\n    \n    <br>\n    \n    # Environment\n    ```bash\n    docker build -t cve-2026-0603-hibernate-vuln .\n    docker run --rm -it -p 8080:8080 --name hibernate-vuln cve-2026-0603-hibernate-vuln\n    ```\n    \n    <br>\n    \n    # PoC\n    After starting the vulnerable environment, follow the steps below to reproduce the attack.\n    \n    ## Step 1. Register with a malicious username \n    ```bash\n    username: ' or '1' = '1\n    ```\n    \n    ## Step 2. Trigger update or delete\n    Click the update or delete button on the registered account.\n    \n    \n    ## Step 3. Confirm all user data is affected\n    Verify that the DELETE or UPDATE query was applied to all rows, not just the registered account.\n    For DELETE, all records across both tables are removed.\n    For UPDATE, all records are modified with the attacker-supplied values.\n    \n    <br>\n    \n    # Mitigation\n    - Remove the `InlineIdsOrClauseBulkIdStrategy` setting from `application.yml`\n    - If `InlineIdsOrClauseBulkIdStrategy` must be used, apply strict **whitelist-based input validation** on any user-supplied primary key values to reject SQL control characters\n    \n    <br>\n    \n    # Analysis\n    - KR: https://www.skshieldus.com/security-insights/reports/eqst-orm-injection-explained\n    - EN:",
    "sourceHref": "https://packetstorm.news/download/220500",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220500/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply