Cyber Resilience

CVE-2026-0603

HighUpdated

Published: 23 January 2026

Published
23 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0061 44.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0603 is a high-severity SQL Injection (CWE-89) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0603 is a second-order SQL injection vulnerability in Hibernate, stemming from CWE-89. It arises when the InlineIdsOrClauseBuilder is used and specially crafted, unsanitized non-alphanumeric characters are provided in the ID column. The flaw has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its potential for significant confidentiality and integrity impacts with relatively low barriers to exploitation.

A remote attacker with low privileges can exploit this vulnerability by injecting malicious input into the ID field. Successful exploitation enables sensitive information disclosure, such as reading system files, as well as data manipulation or deletion within the application's database. This can culminate in an application-level denial of service.

Red Hat has addressed the issue through multiple errata, including RHSA-2026:4915, RHSA-2026:4916, RHSA-2026:4917, RHSA-2026:4924, and RHSA-2026:6011, which provide updated packages and mitigation guidance for affected Hibernate deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive…

more

information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in remotely accessible Hibernate component directly enables exploitation of a public-facing (or remotely reachable) application for data access/manipulation and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates second-order SQL injection by enforcing validation of unsanitized inputs like non-alphanumeric characters in the ID column before database processing.

prevent

Addresses the flaw through timely identification, reporting, and correction via patches like Red Hat errata for vulnerable Hibernate deployments.

prevent

Restricts information inputs at system boundaries to limit specially crafted malicious payloads targeting the InlineIdsOrClauseBuilder.

References