Description
mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0.
Published: 2026-04-17
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and SSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in mcp-neo4j-cypher, an MCP server that executes Cypher queries for Neo4j databases. In versions prior to 0.6.0 the enforcement of read‑only mode can be bypassed by issuing APOC CALL procedures, which facilitates unauthorized write operations or server‑side request forgery. This reflects an access‑control weakness (CWE‑284) and enables an attacker to modify database content or force remote requests from the server.

Affected Systems

The affected product is the neo4j‑contrib mcp‑neo4j MCP server, all releases earlier than version 0.6.0.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact under the current conditions. The EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require access to the MCP server interface, typically through an exposed API or an authenticated user with permissions to execute Cypher queries. Based on the description, it is inferred that the attacker would need to send Cypher queries through the MCP server API, which is often exposed on an internal or public network. While the attack cannot be achieved remotely without such access, the presence of SSRF implies that once the read‑only bypass is achieved, the attacker can cause the server to request arbitrary URLs, potentially exfiltrating data or further compromising the network.

Generated by OpenCVE AI on April 18, 2026 at 08:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mcp‑neo4j‑cypher package to version 0.6.0 or later, which removes the read‑only bypass.
  • Restrict access to the MCP server endpoint or limit the set of users who can execute Cypher queries, thereby reducing the opportunity to invoke the APOC CALL procedures.
  • Review and apply firewall rules or network segmentation to isolate the MCP server from untrusted networks, mitigating the SSRF risk if a bypass occurs.
  • Monitor Cypher query logs for anomalous APOC CALL activity and review audit trails for unauthorized data modifications.

Generated by OpenCVE AI on April 18, 2026 at 08:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x3cv-r3g3-fpg9 Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Neo4j-contrib
Neo4j-contrib mcp-neo4j
Vendors & Products Neo4j-contrib
Neo4j-contrib mcp-neo4j

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0.
Title mcp-neo4j-cypher: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Neo4j-contrib Mcp-neo4j
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T20:34:06.510Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:33.170

Modified: 2026-04-17T21:16:33.170

Link: CVE-2026-35402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses