Skip to main content

Mcp Neo4J CVE-2026-35402

| EUVDEUVD-2026-23518 LOW
Improper Access Control (CWE-284)
2026-04-17 GitHub_M GHSA-x3cv-r3g3-fpg9
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch released
Apr 29, 2026 - 21:04 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 23:48 vuln.today
Patch available
Apr 17, 2026 - 21:16 EUVD
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23518
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:34 nvd
LOW 2.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on mcp-neo4j-cypher (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.6.0.

DescriptionGitHub Advisory

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0.

AnalysisAI

mcp-neo4j-cypher before version 0.6.0 allows authenticated users to bypass read-only mode enforcement via APOC CALL procedures, enabling unauthorized write operations and server-side request forgery against Neo4j databases. The vulnerability requires login credentials and attacker preparation (CVSS AT:P), limiting real-world risk to insider threats or compromised accounts with legitimate access to the MCP server.

Technical ContextAI

mcp-neo4j-cypher is a Model Context Protocol (MCP) server that provides Cypher query execution against Neo4j graph databases. The vulnerability stems from incomplete input validation in the read-only mode enforcement logic, which fails to block APOC (Awesome Procedures On Cypher) procedures-Neo4j's procedure framework for extending Cypher functionality. APOC CALL procedures can perform arbitrary operations including database writes and outbound HTTP requests, entirely bypassing the intended read-only restrictions. CWE-284 (Improper Access Control) categorizes this as an authorization bypass where the security control (read-only enforcement) does not properly restrict the scope of operations available to authenticated users. The CPE identifier cpe:2.3:a:neo4j-contrib:mcp-neo4j:*:*:*:*:*:*:*:* covers all versions of the mcp-neo4j package.

RemediationAI

Upgrade mcp-neo4j-cypher to version 0.6.0 or later, which patches the read-only mode enforcement to properly filter APOC CALL procedures. The patched version is available at https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0. As an immediate mitigation for users unable to upgrade promptly, disable or restrict APOC procedure execution in the Neo4j database configuration by setting apoc.enabled=false in neo4j.conf, though this will break any legitimate APOC-dependent functionality and should only be a temporary measure. Additionally, restrict network access to the mcp-neo4j-cypher server to trusted IP ranges and ensure strong authentication controls are in place for all accounts granted access to the MCP server. Monitor for suspicious APOC CALL procedure invocations in Neo4j query logs (queries containing 'CALL apoc.') issued from mcp-neo4j clients as a detection control.

Share

CVE-2026-35402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy