Neo4j - 24 CVEs (Page 1/1)

About “Neo4j”

A curated feed of “Neo4j”-related CVEs appears below. We currently track 24 CVEs for this tag (all time). In the last 365 days, 14 were published. Average CVSS is 7.1 (all time; 6.4 over 365d), and 58% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-943 - Improper Neutralization of Special Elements in Data Query Logic, CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE-863 - Incorrect Authorization.

In our taxonomy this topic maps to a MODERATE impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: neo4j

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL	LTS
2026.04	2026-04-23	2026.04.0	-
2026.03	2026-04-02	2026.03.1	2026-04-23 Expired
2026.02	2026-03-20	2026.02.3	2026-04-02 Expired
2026.01	2026-02-10	2026.01.4	2026-03-06 Expired
2025.12	2026-01-16	2025.12.1	2026-02-03 Expired
2025.11	2025-12-19	2025.11.2	2026-01-16 Expired
2025.10	2025-10-30	2025.10.1	2025-12-19 Expired
2025.09	2025-09-29	2025.09.0	2025-10-30 Expired
2025.08	2025-08-27	2025.08.0	2025-09-29 Expired
2025.07	2025-07-31	2025.07.1	2025-08-15 Expired
2025.06	2025-07-02	2025.06.2	2025-07-31 Expired
2025.05	2025-06-03	2025.05.1	2025-07-02 Expired
2025.04	2025-04-30	2025.04.0	2025-06-03 Expired
2025.03	2025-03-27	2025.03.0	2025-04-30 Expired
2025.02	2025-02-27	2025.02.0	2025-03-27 Expired
2025.01	2025-02-06	2025.01.0	2025-02-27 Expired
5.26	2024-12-06	5.26.26	2028-06-06	LTS
5.25	2024-10-31	5.25.1	2024-12-06 Expired
5.24	2024-09-27	5.24.2	2024-10-31 Expired
5.23	2024-08-22	5.23.0	2024-09-27 Expired
5.22	2024-07-24	5.22.0	2024-08-22 Expired
5.21	2024-06-28	5.21.2	2024-07-24 Expired
5.20	2024-05-23	5.20.0	2024-06-28 Expired
5.19	2024-04-12	5.19.0	2024-05-23 Expired
5.18	2024-03-13	5.18.1	2024-04-12 Expired
5.17	2024-02-23	5.17.0	2024-03-13 Expired
5.16	2024-01-22	5.16.0	2024-02-23 Expired
5.15	2023-12-15	5.15.0	2024-01-22 Expired
5.14	2023-11-24	5.14.0	2023-12-15 Expired
5.13	2023-10-23	5.13.0	2023-11-24 Expired
5.12	2023-09-15	5.12.0	2023-10-23 Expired
5.11	2023-08-14	5.11.0	2023-09-14 Expired
5.10	2023-07-19	5.10.0	2023-08-15 Expired
5.9	2023-06-15	5.9.0	2023-07-19 Expired
5.8	2023-05-16	5.8.0	2023-06-15 Expired
5.7	2023-04-20	5.7.0	2023-05-16 Expired
5.6	2023-03-24	5.6.0	2023-04-20 Expired
5.5	2023-02-16	5.5.0	2023-03-24 Expired
5.4	2023-01-26	5.4.0	2023-02-16 Expired
5.3	2022-12-15	5.3.0	2023-01-26 Expired
5.2	2022-11-21	5.2.0	2022-12-15 Expired
5.1	2022-10-24	5.1.0	2022-11-21 Expired
4.4	2021-12-02	4.4.48	2025-11-30 Expired	LTS
4.3	2021-06-17	4.3.23	2022-12-16 Expired
4.2	2020-11-17	4.2.19	2022-05-16 Expired
4.1	2020-06-23	4.1.12	2021-12-22 Expired
4.0	2020-01-15	4.0.12	2021-07-14 Expired
3.5	2018-11-29	3.5.35	2022-05-27 Expired
3.4	2018-05-17	3.4.18	2020-03-31 Expired
3.3	2017-10-24	3.3.9	2019-04-28 Expired
3.2	2017-05-11	3.2.14	2018-11-30 Expired
3.1	2016-12-13	3.1.9	2018-06-13 Expired
3.0	2016-04-16	3.0.12	2017-10-31 Expired
2.3	2015-10-21	2.3.12	2017-04-21 Expired
2.2	2015-03-25	2.2.10	2016-09-25 Expired
2.1	2014-05-29	2.1.8	2015-11-29 Expired
2.0	2013-12-11	2.0.5	2015-06-11 Expired
1.9	2013-05-21	1.9.9	2014-11-21 Expired
1.8	2012-09-28	1.8.3	2014-03-28 Expired
1.7	2012-04-18	1.7.2	2013-10-18 Expired
1.6	2012-01-22	1.6.3	2013-07-22 Expired
1.5	2011-11-09	1.5.3	2013-03-09 Expired
1.4	2011-07-08	1.4.2	2013-01-08 Expired
1.3	2011-04-12	1.3.0	2012-09-12 Expired
1.2	2010-12-29	1.2.0	2012-06-29 Expired
1.1	2010-07-30	1.1.0	2012-01-30 Expired
1.0	2010-02-23	1.0.0	2011-08-23 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Neo4j” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-04-23

Critical

CVE-2026-41274

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execut…

CVSS: 9.8 CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic View on NVD

2026-04-17

Low

CVE-2026-35402

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentia…

CVSS: 2.3 CWE: CWE-284 - Improper Access Control View on NVD

2026-03-27

High

CVE-2026-22743

Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorF…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD

2026-03-12

High

CVE-2026-32247

Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter constructio…

CVSS: 8.1 CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic View on NVD

2026-03-11

Critical

CVE-2026-1524

An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or mo…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD

Medium

CVE-2026-1471

Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after resta…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD

High

CVE-2026-1497

Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an…

CVSS: 7.2 CWE: CWE-863 - Incorrect Authorization View on NVD

2026-02-06

Medium

CVE-2026-1337

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. The…

CVSS: 5.4 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD

2026-02-04

Medium

CVE-2026-1622

Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "ob…

CVSS: 4.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD

2026-01-22

Low

CVE-2025-12738

Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability…

CVSS: 1.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD

2026-01-14

Medium

CVE-2025-66169

Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are reco…

CVSS: 5.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD

2025-10-31

Medium

CVE-2025-11602

Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no contr…

CVSS: 6.3 CWE: CWE-226 - Sensitive Information in Resource Not Removed Before Reuse View on NVD

2025-09-11

High

CVE-2025-10193

DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP i…

CVSS: 7.4 CWE: CWE-346 - Origin Validation Error View on NVD

2025-09-10

High

CVE-2025-56406

An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication i…

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD

2024-05-07

Medium

CVE-2024-34517

The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access.

CVSS: 6.5 CWE: CWE-471 - Modification of Assumed-Immutable Data (MAID) View on NVD

2023-02-16

Medium

CVE-2023-23926

APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 an…

CVSS: 5.9 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

2023-01-14

High

CVE-2022-23532

APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plu…

CVSS: 7.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2022-08-12

High

CVE-2022-37423

Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x before 4.4.0.8 allows Directory Traversal to sibling directories via apoc.log.stream.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2022-03-01

Critical

CVE-2021-42767

A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. This is fixed in 3.5.17, 4.2.10,…

CVSS: 9.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD

2021-08-05

Critical

CVE-2021-34371

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code ex…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

2021-07-30

High

CVE-2021-34802

A failure in resetting the security context in some transaction actions in Neo4j Graph Database 4.2 and 4.3 could allow authenticated users to execute commands with elevated privileges.

CVSS: 8.8 CWE: CWE-269 - Improper Privilege Management View on NVD

2018-12-20

Critical

CVE-2018-1000820

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of servic…

CVSS: 10.0 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD

2018-10-16

Critical

CVE-2018-18389

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD

2014-04-29

Medium

CVE-2013-7259

Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrat…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD