CVE-2026-1497

Name of the Vulnerable Software and Affected Versions Neo4j Enterprise edition versions prior to 2026.02 Neo4j Enterprise edition versions prior to 5.26.22

Description An incorrect resolution of namespaces in composite databases in Neo4j Enterprise edition can lead to a scenario where an administrator unintentionally grants access to local databases or remote aliases. Specifically, when an administrator attempts to grant a user access to a remote database constituent using the format 'namespace.name', access is inadvertently granted to any local database or remote alias named 'name'. If a database or alias with that name does not exist at the time the command is executed, the privileges will be applied if it is created in the future.

Recommendations Update Neo4j Enterprise edition to version 2026.02 or later. Update Neo4j Enterprise edition to version 5.26.22 or later.