EXECUTIVE SUMMARY:
CVE-2026-1622, a moderate severity information disclosure vulnerability in Neo4j database software. This issue affects Neo4j Enterprise and Community editions in versions earlier than 5.26.21 and versions from 2025.01.0 up to but not including 2026.01.3. The vulnerability occurs when the query logging feature’s obfuscate_literals setting fails to redact sensitive error details, potentially exposing unredacted data in local log files. A user who already has access to these log files could see information they are not authorized to view due to this lack of proper redaction. If such a user can also trigger query errors, they might infer additional information beyond what their normal database access should allow. The advisory notes that this weakness stems from how log data is handled and suggests reviewing log access controls to limit exposure. In the CVSS scoring system, the vulnerability has an overall score of 4.8, reflecting a moderate impact primarily through local access and confidentiality risk.
RECOMMENDATION:
We strongly recommend you update Neo4j to version 5.26.21 or 2026.01.3.
REFERENCES:
The following reports contain further technical details: