By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-0603

Command Injection
Affects
Hibernate ORM
in
Hibernate
No items found.
Versions
>= 5.6.0 <= 5.6.15
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Hibernate ORM (Object-Relational Mapping) is a powerful Java framework that bridges the gap between object-oriented programming and relational databases, allowing developers to work with database data as familiar Java objects instead of writing repetitive SQL, automating tasks like mapping Java classes to tables, handling data types, and managing data persistence across the application lifecycle. It solves the "object-relational impedance mismatch" by simplifying database interactions, reducing code, and making Java applications database-independent, acting as a standard implementation for the Jakarta Persistence API (JPA).

A Command Injection vulnerability (CVE-2026-0603) has been identified in Hibernate. The id field of a persisted object may be used to facilitate second order SQL attacks on vulnerable Applications.

According to OWASP, Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This issue affects 5.6.x versions of Hibernate ORM.

Details

Module Info

Vulnerability Info

An attacker can take advantage of how Hibernate uses InlineIdsOrClauseBuilder to process the ID of an object to effect a second order SQL attack on a vulnerable application. The attacker can put an object with a compromised ID, and then have that ID execute SQL on subsequent UPDATE or DELETE requests.

In our internal testing of this vulnerability we have seen a compromised ID be able to delete all objects from a table as well as read the contents of /etc/passwd on the vulnerable Application’s machine.

Note that this vulnerability is only exploitable when the Application allows users to compose IDs for the objects that get persisted.

Mitigation

Only recent versions of Hibernate are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected versions to supported versions of Hibernate
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Christiaan Swiers (YouGina) as finder
  • Tommy Williams (HeroDevs) as analyst

Pink arrow
Pink arrow
CVE-2026-0603
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2026-0603
PROJECT Affected
Hibernate ORM
Versions Affected
>= 5.6.0 <= 5.6.15
Published date
January 20, 2026
≈ Fix date
January 20, 2026
Fixed in
NES for Hibernate
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Command Injection
Sign up for the latest vulnerability alerts fixed in
NES for Hibernate
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.