PT-2026-24727 · Neo4J · Neo4J Enterprise Edition
Published
2026-03-11
·
Updated
2026-05-29
·
CVE-2026-1524
CVSS v4.0
2.1
Low
| Vector | AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Green |
Name of the Vulnerable Software and Affected Versions
Neo4j Enterprise edition versions prior to 2026.02
Neo4j Enterprise edition versions prior to 5.26.22
Description
An issue in the Single Sign-On (SSO) implementation in Neo4j Enterprise edition can lead to unauthorized access. This occurs when a Neo4j administrator configures two or more OpenID Connect (OIDC) providers, with at least one configured for authorization and one configured for authentication only. If the authentication-only provider contains groups with higher privileges than the intended authorization provider, it can incorrectly provide authorization capabilities. Prior to the fix, a plugin configured for only authentication or authorization could erroneously provide both capabilities.
Recommendations
Upgrade to version 2026.02.
Upgrade to version 5.26.22.
Fix
Improper Authentication
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Neo4J Enterprise Edition