📄 Hibernate ORM 5.6.15 SQL Injection

🗓️ 06 May 2026 00:00:00Reported by EQSTLabType

CVE-2026-0603 in Hibernate ORM enables second-order SQL injection causing mass deletion or modification and data exposure.

Reporter	Title	Published	Views	Family All 42
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.	2 Mar 202606:11	–	ibm
IBM Security Bulletins	Security Bulletin: Remediation of Hibernate Vulnerability in IBM Library Support for Hibernate	13 Apr 202615:39	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which is vulnerable to multiple CVEs.	7 May 202613:57	–	ibm
IBM Security Bulletins	Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the Hibernate library	10 Apr 202613:46	–	ibm
IBM Security Bulletins	Security Bulletin: Due to the use of hibernate-core. IBM webMethods BPM is vulnerable to a second-order SQL injection	27 Mar 202608:03	–	ibm
ATTACKERKB	CVE-2026-0603	23 Jan 202606:31	–	attackerkb
Circl	CVE-2026-0603	23 Jan 202608:41	–	circl
CNNVD	Hibernate security vulnerability	19 Jan 202600:00	–	cnnvd
CVE	CVE-2026-0603	23 Jan 202606:31	–	cve
Cvelist	CVE-2026-0603 Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection	23 Jan 202606:31	–	cvelist

# CVE-2026-0603 Hibernate ORM Injection / Second-Order SQL Injection
    
    ★ CVE-2026-0603 Hibernate SQL Injection PoC ★
    
    https://github.com/user-attachments/assets/2e7c3a89-e26f-48cd-af0b-8b82d32ce71f
    
    <br>
    
    # Overview
    > **CVE-2026-0603** is a **Second-Order SQL Injection** vulnerability in **Hibernate ORM**, a widely used Java ORM framework.  
    > When a user-supplied string primary key containing a malicious SQL payload is used in a bulk DELETE or UPDATE operation, Hibernate inserts the value directly into the WHERE clause without sanitization, causing **unintended mass deletion or modification of database records**.
    
    <br>
    
    # Affected Versions
    | Category | Version |
    |---|---|
    | **Vulnerable** | Hibernate ORM **5.2.8 ≤ version ≤ 5.6.15** |
    | **Patched** | No official patch **(5.6.x EOL)** |
    
    <br>
    
    # Impact
    - Mass deletion of records across multiple tables
    - Mass modification of records across multiple tables
    - Potential exfiltration of sensitive data from the database
    
    <br>
    
    # Environment
    ```bash
    docker build -t cve-2026-0603-hibernate-vuln .
    docker run --rm -it -p 8080:8080 --name hibernate-vuln cve-2026-0603-hibernate-vuln
    ```
    
    <br>
    
    # PoC
    After starting the vulnerable environment, follow the steps below to reproduce the attack.
    
    ## Step 1. Register with a malicious username 
    ```bash
    username: ' or '1' = '1
    ```
    
    ## Step 2. Trigger update or delete
    Click the update or delete button on the registered account.
    
    
    ## Step 3. Confirm all user data is affected
    Verify that the DELETE or UPDATE query was applied to all rows, not just the registered account.
    For DELETE, all records across both tables are removed.
    For UPDATE, all records are modified with the attacker-supplied values.
    
    <br>
    
    # Mitigation
    - Remove the `InlineIdsOrClauseBulkIdStrategy` setting from `application.yml`
    - If `InlineIdsOrClauseBulkIdStrategy` must be used, apply strict **whitelist-based input validation** on any user-supplied primary key values to reject SQL control characters
    
    <br>
    
    # Analysis
    - KR: https://www.skshieldus.com/security-insights/reports/eqst-orm-injection-explained
    - EN:

06 May 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.18.3

EPSS0.00606

SSVC