Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
Neo4j Enterprise Edition: Unintended Access to Local or Remote Databases
CVE-2026-1497
Summary
A bug in Neo4j Enterprise Edition (prior to versions 2026.02 and 5.26.22) can lead to an administrator accidentally granting access to a user, not just the intended remote database, but also any local database or remote alias with the same name. This can have security implications if a database or alias is created in the future. To protect your database, update to the latest version of Neo4j Enterprise Edition.
Original title
Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:
an admin that intends to give a user ...
Original description
Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:
an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently grant access to any local database or remote alias called "name". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.
an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently grant access to any local database or remote alias called "name". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.
nvd CVSS4.0
2.0
Vulnerability type
CWE-863
Incorrect Authorization
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026