This vulnerability (CVE-2026-0603) affects Hibernate core within Red Hat JBoss Enterprise Application Platform 7.4, allowing a remote attacker with low privileges to perform second-order SQL injection by injecting unsanitized non-alphanumeric characters into the ID column when InlineIdsOrClauseBuilder is used. The flaw can lead to unauthorized disclosure of sensitive information, data manipulation or deletion in the database, and potentially cause application-level denial of service. Red Hat has issued security advisories RHSA-2026:4915 and RHSA-2026:4916 providing updated packages (JBoss Enterprise Application Platform 7.4.24) for RHEL 7 and RHEL 8 respectively, which include fixes for this vulnerability. The advisories emphasize applying all relevant errata before updating and provide detailed instructions for patching.

Exploitation of this vulnerability can result in high-impact consequences including disclosure of sensitive information, unauthorized data manipulation or deletion within the affected application's database, and application-level denial of service. The CVSS v3.1 base score is 8.3 (High), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality and integrity impacts with low availability impact. No known exploits in the wild have been reported at this time.

Red Hat has released official security updates in JBoss Enterprise Application Platform 7.4.24 for both RHEL 7 and RHEL 8 that address CVE-2026-0603. Users should apply these updates promptly after ensuring all previously released errata relevant to their systems are applied. Backing up existing installations, including applications, configuration files, and databases, is recommended before applying the update. Detailed patching instructions are available in the Red Hat advisory and documentation. No additional mitigation steps are indicated beyond applying the official fixes.