Neo4j Enterprise Edition
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Neo4j Enterprise Edition.
By the Year
In 2026 there have been 5 vulnerabilities in Neo4j Enterprise Edition. Last year, in 2025 Enterprise Edition had 1 security vulnerability published. That is, 4 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 0.00 |
| 2025 | 1 | 0.00 |
It may take a day or so for new Enterprise Edition vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Neo4j Enterprise Edition Security Vulnerabilities
Neo4j EE <=2026.01.3 SSO Auth Context Inheritance via UserInfo
CVE-2026-1471
- March 11, 2026
Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo endpoint). We recommend upgrading to versions 2026.01.4 (or 5.26.22) where the issue is fixed.
AuthZ
Neo4j Enterprise 2026.02 Unauth Access via OIDC Provider Edgecase (Server)
CVE-2026-1524
- March 11, 2026
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider. When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities. We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.
AuthZ
Neo4j EE <2026.02 | 5.26.22 Namespace Priv Escalation
CVE-2026-1497
- March 11, 2026
Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently grant access to any local database or remote alias called "name". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.
AuthZ
Info Disclosure in Neo4j 2026 Pre-2026.01.3 via Log Obfuscation
CVE-2026-1622
- February 04, 2026
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.
Insertion of Sensitive Information into Log File
Neo4j Info Disclosure via SET Property Errors (pre-2025.11.2/5.26.17)
CVE-2025-12738
- January 22, 2026
Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed.
Information Disclosure
Neo4j Bolt Handshake Leakage: One Byte Disclosure
CVE-2025-11602
- October 31, 2025
Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.
Sensitive Information in Resource Not Removed Before Reuse
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Neo4j Enterprise Edition or by Neo4j? Click the Watch button to subscribe.
