Hibernate Extension 5.6.15.15-RC

Zackster · April 23, 2026, 2:31pm

The Lucee Hibernate ORM extension has a release candidate out: 5.6.15.15-RC

This is a really significant update — Hibernate upgraded from 5.4 to 5.6, plus a large body of bug fixes and improvements accumulated since the 5.4-era extension.

Install:

Lucee 7.0+ (Maven coordinates)

LUCEE_EXTENSIONS=org.lucee:hibernate-extension:5.6.15.15-RC

Lucee 6.2 (extension GUID)

LUCEE_EXTENSIONS=FAD1E8CB-4F45-4184-86359145767C29DE;version=5.6.15.15-RC

What’s new since 5.4 (see announcement threads for details):

Hibernate 5.4 → 5.6 — core upgrade (5.6.15.10 announcement)
LDEV-119 — ORMReload() connection leak and NPE under concurrent load fixed
LDEV-6156 — connection leak: dead reconnect code removed
LDEV-1992 — entityMerge() after ormClearSession() no longer throws “no Session”
LDEV-6253 — ORM flush 61% faster (5.6.15.12 announcement)
LDEV-6267 — ClassCastException when ehcache extension is also installed, fixed by relocating shaded classes
OOE-28 — NoClassDefFoundError: javax/validation/ValidatorFactory on Lucee 7+ fixed
LDEV-6225 — Java 17+ JAXB compatibility
LDEV-4561 — entity events now fire before global event handler, matching ACF
LDEV-4121 — property defaults apply when loading NULL from DB, matching ACF
LDEV-2092 — ORMEvictEntity()/ORMEvictCollection() broken with multiple datasources, fixed
Per-app ORM log level via this.logs (Lucee 7.0+) (5.6.15.13 announcement)
Concurrent ORM init race condition fixed (Lucee 6.2/7.0)
Multiple datasource sessions now opened lazily (reduced connection overhead)

Changelog

github.com

lucee/extension-hibernate/blob/5.6/CHANGELOG.md

# Changelog

## 5.6.15.15

- [LDEV-6267](https://luceeserver.atlassian.net/browse/LDEV-6267) — Relocate shaded `net.sf.ehcache` classes to `org.lucee.extension.orm.hibernate.shaded.net.sf.ehcache` to prevent `ClassCastException` when the ehcache Lucee extension is also installed. Both extensions loaded the same ehcache classes from different OSGi `BundleClassLoader` instances

## 5.6.15.14

- [OOE-28](https://ortussolutions.atlassian.net/browse/OOE-28) — `NoClassDefFoundError: javax/validation/ValidatorFactory` on Lucee 7+. Lucee 7 exposes `jakarta.validation` via OSGi boot delegation, causing Hibernate's `BeanValidationIntegrator` to think Bean Validation is available — but `TypeSafeActivator` has hard `javax.validation` imports which then fail. Fixed by shading `javax.validation:validation-api` into the extension jar. This was masked locally because script-runner's `pom-jakarta.xml` was missing `jakarta.jakartaee-api`, making its classpath a subset of the real Lucee runtime

## 5.6.15.13

### Improvements

- ORM logging now respects application-level `this.logs` overrides (Lucee 7.0+). Each application can independently control the orm log level without affecting other apps on the server
- Added lifecycle logging at DEBUG level: "ORM initializing", "ORM initialized" (with entity count and settings), and "ormReload()" messages

## 5.6.15.12

### Performance

This file has been truncated. show original

Documentation

We have added a comprehensive set of recipes for ORM

Security note — CVE-2026-0603

Dependency scanners may flag a high-severity SQL injection CVE in hibernate-core.

We’ve investigated and it is not exploitable in standard Lucee ORM deployments — the vulnerable code path (InlineIdsOrClauseBulkIdStrategy) requires explicitly opting in via hibernate.hql.bulk_id_strategy, which is not configurable through Lucee ORM settings and is not set anywhere in this extension. The default strategy uses temp tables.

We will be following up with a 7.x Hibernate Release

Previous 5.6 SNAPSHOTS

psarin · April 23, 2026, 11:53pm

Should we now be using this extension instead of the Ortus Hibernate extension? I thought the recommendation a few months ago was to use the Ortus one (Ortus Hibernate ORM Extension 6.5.4 Released) - or am I misunderstanding something?

Zackster · April 24, 2026, 12:35am

As per the docs, Ortus have put their fork in maintenance mode, Lucee has taken back responsibility and are actively maintaining our extension again.

You should find this RC a drop in replacement, with a lot of issues resolved and better logging, performance and exceptions!