CVE-2025-12738
Information Disclosure via Property Enumeration in Neo4j Enterprise
Publication date: 2026-01-22
Last updated on: 2026-01-22
Assigner: Neo4j
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neo4j | enterprise_edition | to 2025.11.2 (exc) |
| neo4j | enterprise_edition | From 5.26.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17. An attacker who has some legitimate access to the database but does not have read access to a specific property can infer information about that property's value. They do this by enumerating all possible values and observing error messages generated when attempting to set the property. This leads to potential information disclosure.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized information disclosure. An attacker with limited access can infer sensitive data values they are not authorized to read by exploiting error messages during property setting attempts. This could compromise data confidentiality within the database.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Neo4j Enterprise edition to version 2025.11.2 or 5.26.17 or above, where the vulnerability is fixed.