Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 2 pypi packages depend on mcp-neo4j-cypher (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.6.0.
DescriptionGitHub Advisory
mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0.
AnalysisAI
mcp-neo4j-cypher before version 0.6.0 allows authenticated users to bypass read-only mode enforcement via APOC CALL procedures, enabling unauthorized write operations and server-side request forgery against Neo4j databases. The vulnerability requires login credentials and attacker preparation (CVSS AT:P), limiting real-world risk to insider threats or compromised accounts with legitimate access to the MCP server.
Technical ContextAI
mcp-neo4j-cypher is a Model Context Protocol (MCP) server that provides Cypher query execution against Neo4j graph databases. The vulnerability stems from incomplete input validation in the read-only mode enforcement logic, which fails to block APOC (Awesome Procedures On Cypher) procedures-Neo4j's procedure framework for extending Cypher functionality. APOC CALL procedures can perform arbitrary operations including database writes and outbound HTTP requests, entirely bypassing the intended read-only restrictions. CWE-284 (Improper Access Control) categorizes this as an authorization bypass where the security control (read-only enforcement) does not properly restrict the scope of operations available to authenticated users. The CPE identifier cpe:2.3:a:neo4j-contrib:mcp-neo4j:*:*:*:*:*:*:*:* covers all versions of the mcp-neo4j package.
RemediationAI
Upgrade mcp-neo4j-cypher to version 0.6.0 or later, which patches the read-only mode enforcement to properly filter APOC CALL procedures. The patched version is available at https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0. As an immediate mitigation for users unable to upgrade promptly, disable or restrict APOC procedure execution in the Neo4j database configuration by setting apoc.enabled=false in neo4j.conf, though this will break any legitimate APOC-dependent functionality and should only be a temporary measure. Additionally, restrict network access to the mcp-neo4j-cypher server to trusted IP ranges and ensure strong authentication controls are in place for all accounts granted access to the MCP server. Monitor for suspicious APOC CALL procedure invocations in Neo4j query logs (queries containing 'CALL apoc.') issued from mcp-neo4j clients as a detection control.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23518
GHSA-x3cv-r3g3-fpg9