Neo4j Enterprise Edition includes a flaw in composite database handling where namespace resolution is incorrectly processed. When an administrator grants access to a remote database component identified by a fully–qualified name such as "namespace.name", the system may instead assign that privilege to any local database or remote alias that shares the suffix "name". This misassignment can give a user access to a database or alias that they should not have, constituting a privilege escalation scenario (CWE‑863). The impact is a potential loss of confidentiality and integrity for data stored in the incorrectly privileged databases.

The vulnerability affects Neo4j Enterprise Edition releases prior to 2026.02 and 5.26.22. Any database instance using these versions that executes grant commands against composite database namespaces is susceptible. The affected component is the namespace resolution logic within the Neo4j composite database framework.

The CVSS score is 2, indicating low overall severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to execute a privileged grant command—either directly as a database administrator or by compromising an administrative account. Based on the description, the likely attack vector is an admin‐initiated grant operation that inadvertently assigns privileges to an unintended database or alias. This inference is drawn from the necessity of having control over the grant mechanism.