CVE-2026-1622
📋 TL;DR
Neo4j query logs fail to redact error information when 'obfuscate_literals' is enabled, potentially exposing sensitive data. This affects users with legitimate access to local log files who can also run queries to trigger errors. Organizations using vulnerable Neo4j Enterprise or Community editions are impacted.
💻 Affected Systems
- Neo4j Enterprise
- Neo4j Community
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated user with log file access could infer sensitive database information through error messages in query logs, potentially leading to unauthorized data disclosure.
Likely Case
Users with both query execution and log file access could gradually infer limited unauthorized information through repeated error analysis.
If Mitigated
With proper log file permissions and the fix applied, the risk is eliminated as error information becomes properly obfuscated.
🎯 Exploit Status
Exploitation requires: 1) Access to local log files, 2) Ability to execute queries that trigger errors, 3) 'obfuscate_literals' enabled in configuration. This is an information disclosure vulnerability, not remote code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.01.3 or 5.26.21
Vendor Advisory: https://neo4j.com/security/CVE-2026-1622
Restart Required: Yes
Instructions:
1. Download Neo4j version 2026.01.3 or 5.26.21 from official Neo4j website. 2. Stop the Neo4j service. 3. Backup your current installation and data. 4. Install the patched version. 5. Enable 'db.logs.query.obfuscate_errors' in configuration if you want error obfuscation. 6. Restart Neo4j service.
🔧 Temporary Workarounds
Restrict Log File Permissions
linuxLimit access to Neo4j log files to only necessary administrative users
chmod 640 /path/to/neo4j/logs/*.log
chown neo4j:admin /path/to/neo4j/logs/*.log
Disable Query Log Obfuscation
allTemporarily disable the vulnerable obfuscation feature until patching
Set db.logs.query.obfuscate_literals=false in neo4j.conf
🧯 If You Can't Patch
- Implement strict access controls on Neo4j log directories and files
- Disable 'db.logs.query.obfuscate_literals' configuration setting
🔍 How to Verify
Check if Vulnerable:
Check Neo4j version and configuration: 1. Run 'neo4j --version' 2. Check if version is below 2026.01.3 or 5.26.21 3. Verify if 'db.logs.query.obfuscate_literals=true' in neo4j.confCheck Version:
neo4j --versionVerify Fix Applied:
1. Confirm Neo4j version is 2026.01.3 or 5.26.21 via 'neo4j --version' 2. Verify 'db.logs.query.obfuscate_errors' is enabled if error obfuscation is desired 3. Test by running queries that trigger errors and checking log output📡 Detection & Monitoring
Log Indicators:
- Unredacted error messages in query.log files when obfuscation is enabled
- Sensitive data appearing in error stack traces
Network Indicators:
- No network indicators - this is a local file system vulnerability
SIEM Query:
No applicable network SIEM query. Monitor file access logs to Neo4j query log files for unusual access patterns.