PT-2026-6049 · Neo4J · Neo4J Enterprise+1
Published
2026-02-04
·
Updated
2026-02-04
·
CVE-2026-1622
CVSS v4.0
4.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:X |
Name of the Vulnerable Software and Affected Versions
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and versions prior to 5.26.21
Description
The
obfuscate literals option in query logs does not redact error information, potentially exposing unredacted data when a query fails. This can allow a user with legitimate access to local log files to obtain information they are not authorized to see. If the user can also run queries and trigger errors, they may be able to infer unauthorized information through their database access.Recommendations
Upgrade to version 2026.01.3 or 5.26.21 to resolve the issue.
Review query log file permissions to ensure restricted access.
If the
db.logs.query.obfuscate literals configuration was enabled, enable the db.logs.query.obfuscate errors configuration setting after upgrading Neo4j to ensure error messages are also obfuscated.Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Neo4J Community
Neo4J Enterprise