CVE-2026-0603 - Vulnerability Details - OpenCVE

No description is available for this CVE.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-0603
https://www.cve.org/CVERecord?id=CVE-2026-0603

History

Tue, 20 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection
Weaknesses		CWE-89
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0603 https://www.cve.org/CVERecord?id=CVE-2026-0603
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}` threat_severity `Important`

Projects

Sign in to view the affected projects.

MITRE

No data.

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-01-19T10:10:00Z

Links: CVE-2026-0603 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"acknowledgement": "Red Hat would like to thank Christiaan Swiers (YouGina) and Tommy Williams (HeroDevs) for reporting this issue.", "bugzilla": {"description": "org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection", "id": "2427147", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-89", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-0603", "package_state": [{"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "hibernate-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "hibernate-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-01-19T10:10:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0603\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0603"], "statement": "This vulnerability is rated Important for Red Hat products as it allows a remote attacker with low privileges to perform second-order SQL injection in applications using Hibernate's InlineIdsOrClauseBuilder with unsanitized non-alphanumeric characters in the ID column. This could lead to sensitive information disclosure and data manipulation or deletion.", "threat_severity": "Important"}