CVE-2026-1337
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks when Neo4j query logs containing insufficiently escaped unicode characters are opened in tools that interpret them as HTML. It affects Neo4j Enterprise and Community editions prior to version 2026.01. The vulnerability only impacts log viewing, not the Neo4j database itself.
💻 Affected Systems
- Neo4j Enterprise
- Neo4j Community
📦 What is this software?
Neo4j by Neo4j
Neo4j by Neo4j
⚠️ Risk & Real-World Impact
Worst Case
An attacker could execute arbitrary JavaScript in the context of a user viewing Neo4j logs in a web-based log viewer, potentially leading to session hijacking, credential theft, or further system compromise.
Likely Case
Limited impact since most administrators view logs in plain text editors or command-line tools rather than HTML-rendering applications.
If Mitigated
No security impact if logs are treated as plain text files or if patched versions are used.
🎯 Exploit Status
Exploitation requires ability to inject unicode characters into query logs and for victims to view logs in HTML-rendering tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.01
Vendor Advisory: https://github.com/JoakimBulow/CVE-2026-1337
Restart Required: Yes
Instructions:
1. Backup your Neo4j database and configuration. 2. Download Neo4j version 2026.01 or later from the official Neo4j website. 3. Stop the Neo4j service. 4. Install the updated version following Neo4j's upgrade documentation. 5. Restart the Neo4j service.
🔧 Temporary Workarounds
Treat logs as plain text
allAlways open Neo4j query logs in plain text editors or command-line viewers that don't interpret HTML.
Use commands like 'cat', 'less', 'more', or 'tail -f' for log viewing
Restrict log access
linuxLimit access to Neo4j log files to trusted administrators only.
chmod 600 neo4j.log
chown neo4j:neo4j neo4j.log
🧯 If You Can't Patch
- Implement strict access controls on Neo4j log directories and files
- Train administrators to only view logs in plain text editors, never in web browsers or HTML-rendering tools
🔍 How to Verify
Check if Vulnerable:
Check Neo4j version: if version is earlier than 2026.01, the system is vulnerable.Check Version:
neo4j versionVerify Fix Applied:
Confirm Neo4j version is 2026.01 or later and test log viewing with sample unicode queries.📡 Detection & Monitoring
Log Indicators:
- Unusual unicode sequences in query logs
- JavaScript-like patterns in log entries
Network Indicators:
- No network-based indicators as this is a local log viewing vulnerability
SIEM Query:
No applicable SIEM query for this local file vulnerability