CVE-2026-1471
Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo endpoint).
We recommend upgrading to versions 2026.01.4 (or 5.26.22) where the issue is fixed.
https://nvd.nist.gov/vuln/detail/CVE-2026-1471
Categories
CWE-863 : Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses. Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations. Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863). Gateway uses default "Allow" configuration for its authorization settings. Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
References
3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| Neo4j |
Enterprise edition |
- 2025.01 < 2026.01.4 [affected]
- 4.4.0 < 5.26.22 [affected]
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:* |
>= 2025.01 |
< 2026.01.4 |
| cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:* |
>= 4.4.0 |
< 5.26.22 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| No entry |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
