Neo4j Enterprise Edition has a flaw where an authenticated user can inherit the authentication context of the first user who logs in after a server restart. Key detail from vendor description: "Excessive caching of authentication context… leads to authenticated users inheriting the context of the first user who authenticated after restart." The vulnerability is classified as CWE-488 (Improper Cache Management) and CWE-863 (Incorrect Permission Management), indicating that cached authentication data can be reused incorrectly and that permission checks are not properly enforced, which may allow an attacker to gain higher privileges than intended.

The issue affects Neo4j Enterprise Edition prior to version 2026.01.4 (or 5.26.22). It is active only when non-default SSO (UserInfo endpoint) configurations are in use, such that the server caches the first authenticated user’s context. All affected installations matching these criteria are potentially impacted until the software is upgraded.

The CVSS score of 2.1 indicates low severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description: the attacker must be authenticated, wait until a restart occurs, and then log in first after the restart to inherit the privileged context of that session. Because this requires specific timing and logged‑in status, the overall risk remains low under normal operational conditions, though the potential impact of privilege escalation is significant if an attacker succeeds.