Description
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files.


The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access.

We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.
Published: 2026-02-04
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Unredacted Query Logs
Action: Immediate Patch
AI Analysis

Impact

Neo4j Enterprise and Community editions prior to versions 2026.01.3 and 5.26.21 can log and expose sensitive data in query error messages when the db.logs.query.obfuscate_literals configuration is enabled. Because the error logs are not obfuscated, a user who can read the local log files obtains information not intended to be visible, potentially revealing private data such as password hashes or internal entity identifiers. The vulnerability is a classic information exposure through log files and could compromise confidentiality of database contents.

Affected Systems

Neo4j Community Edition and Enterprise Edition versions earlier than 2026.01.3 (for Enterprise) and 5.26.21 (for Community). Users of these releases with local access to query.log files are affected.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate impact. The EPSS probability is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited automation presence. The attack requires a user who can read the server's query logs and also perform database queries that trigger errors. If both conditions are met, the user can infer information they are not authorized to see through the unredacted error logs.

Generated by OpenCVE AI on April 18, 2026 at 14:03 UTC.

Remediation

Vendor Solution

We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had  db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.

OpenCVE Recommended Actions

  • Upgrade Neo4j to version 2026.01.3 or 5.26.21 where the issue is resolved.
  • After updating, enable the db.logs.query.obfuscate_errors configuration to protect error messages from disclosure.
  • Verify that the permissions of the query log files restrict access to authorized administrators only and that no other local users retain read privileges.

Generated by OpenCVE AI on April 18, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4j3g-rwwq-4p54 Neo4j Enterprise and Community vulnerable to a potential information disclosure
History

Sat, 07 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
Description Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literal enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.

Wed, 04 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literal enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.
Title Unredacted data exposure in query.log
First Time appeared Neo4j
Neo4j community Edition
Neo4j enterprise Edition
Weaknesses CWE-532
CPEs cpe:2.3:a:neo4j:community_edition:*:*:*:*:*:*:*:*
cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*
Vendors & Products Neo4j
Neo4j community Edition
Neo4j enterprise Edition
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M'}

Subscriptions

Neo4j Community Edition Enterprise Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: Neo4j

Published:

Updated: 2026-02-04T15:12:37.400Z

Reserved: 2026-01-29T14:23:26.871Z

Link: CVE-2026-1622

cve-icon Vulnrichment

Updated: 2026-02-04T15:12:33.505Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T10:16:04.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1622

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T09:14:46Z

Links: CVE-2026-1622 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses