CVE-2026-0603
Published: 23 January 2026
Summary
CVE-2026-0603 is a high-severity SQL Injection (CWE-89) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0603 is a second-order SQL injection vulnerability in Hibernate, stemming from CWE-89. It arises when the InlineIdsOrClauseBuilder is used and specially crafted, unsanitized non-alphanumeric characters are provided in the ID column. The flaw has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts with relatively low barriers to exploitation.
A remote attacker with low privileges can exploit this vulnerability by injecting malicious input into the ID field. Successful exploitation enables sensitive information disclosure, such as reading system files, as well as data manipulation or deletion within the application's database. This can culminate in an application-level denial of service.
Red Hat has addressed the issue through multiple errata, including RHSA-2026:4915, RHSA-2026:4916, RHSA-2026:4917, RHSA-2026:4924, and RHSA-2026:6011, which provide updated packages and mitigation guidance for affected Hibernate deployments.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4427
Vulnerability details
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive…
more
information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in remotely accessible Hibernate component directly enables exploitation of a public-facing (or remotely reachable) application for data access/manipulation and DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates second-order SQL injection by enforcing validation of unsanitized inputs like non-alphanumeric characters in the ID column before database processing.
Addresses the flaw through timely identification, reporting, and correction via patches like Red Hat errata for vulnerable Hibernate deployments.
Restricts information inputs at system boundaries to limit specially crafted malicious payloads targeting the InlineIdsOrClauseBuilder.