Description
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions:


If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider.

When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities. 

We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.
Published: 2026-03-11
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

An edgecase in the SSO implementation of Neo4j Enterprise Edition allows an administrator to inadvertently grant both authentication and authorization capabilities to an OIDC provider that was intended to provide only authentication. When at least one provider is configured as an authorization provider and at least one as authentication‑only, the authentication‑only provider may also provide authorization. If that provider contains groups with higher privileges than the configured authorization provider, members of those groups can gain unintended, elevated access. This flaw is linked to CWE‑287 (Authentication) and CWE‑863 (Authorization Bypass through Authorization Mechanism). The result is a breach of confidentiality and integrity through unauthorized privilege escalation.

Affected Systems

Neo4j Enterprise Edition installations that have two or more OIDC providers enabled and are running versions prior to 2026.02 (or 5.26.22). The vulnerability manifests only when one provider is set for authorization and another for authentication‑only, and the authentication‑only provider contains higher‑privilege groups.

Risk and Exploitability

The CVSS score is 2.1, indicating low severity, and the EPSS score is less than 1%, reflecting a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the presence of misconfigured OIDC providers, meaning it is most likely local or administrative in nature rather than remotely exploitable. While the risk level is low, the impact of privilege escalation warrants attention and prompt remediation.

Generated by OpenCVE AI on March 17, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Neo4j Enterprise Edition to version 2026.02 or later (or to 5.26.22) to apply the vendor fix.
  • If an upgrade cannot be performed immediately, review the OIDC provider configuration to ensure that any providers marked as authentication‑only do not contain groups with privileges higher than the intended authorization providers, and remove or adjust those groups accordingly.
  • Consider temporarily disabling authentication‑only OIDC providers until the patch is applied to prevent accidental authorization leakage.
  • Refer to the vendor's advisory at https://neo4j.com/security/CVE-2026-1524 for additional guidance and monitoring of future patches.

Generated by OpenCVE AI on March 17, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://neo4j.com/security/CVE-2026-1524 cve-icon cve-icon
History

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider. When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities.  We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.
Title Auth misconfiguration when multiple providers enabled
First Time appeared Neo4j
Neo4j enterprise Edition
Weaknesses CWE-287
CWE-863
CPEs cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*
Vendors & Products Neo4j
Neo4j enterprise Edition
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Green'}

Subscriptions

Neo4j Enterprise Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: Neo4j

Published:

Updated: 2026-03-12T16:19:58.434Z

Reserved: 2026-01-28T11:20:54.690Z

Link: CVE-2026-1524

cve-icon Vulnrichment

Updated: 2026-03-12T15:43:24.885Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T17:16:54.477

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-1524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:38Z

Weaknesses