PT-2026-3934 · Neo4J · Neo4J
Published
2026-01-22
·
Updated
2026-01-22
·
CVE-2025-12738
CVSS v4.0
1.3
Low
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Neo4j versions prior to 2025.11.2
Neo4j versions prior to 5.26.17
Description
A potential information disclosure exists in Neo4j Enterprise edition for attackers with some legitimate database access. The issue allows an attacker without read access to a property to infer information about its value by attempting to enumerate all possible values and observing error messages during a
SET property operation.Recommendations
Upgrade to Neo4j version 2025.11.2 or later.
Upgrade to Neo4j version 5.26.17 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Neo4J