Executive Summary

CVE-2026-1337 is a log injection vulnerability in Neo4j Enterprise and Community editions prior to version 2026.01. It occurs because Neo4j does not properly escape control characters in the metadata field of a Bolt transaction when logging queries in a non-JSON format.

An authenticated user can exploit this by injecting control characters, such as newline characters, into the transaction metadata. This causes the creation of fake log entries in the query log file that appear legitimate but correspond to queries that were never actually executed.

Additionally, this vulnerability can be used to inject malicious content like Cross-Site Scripting (XSS) payloads in web-based log viewers or ANSI escape sequences that could affect terminal-based log interactions.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated attacker to inject forged and misleading log entries into Neo4j's query logs. These fake entries can confuse administrators or automated systems that rely on logs for auditing or troubleshooting."}, {'type': 'paragraph', 'content': 'If logs are viewed in tools that interpret them as HTML, the injected content can lead to Cross-Site Scripting (XSS) attacks, potentially compromising the security of the log viewer environment.'}, {'type': 'paragraph', 'content': 'While there is no direct security impact on Neo4j products themselves, the integrity and trustworthiness of log data can be compromised, which may affect incident response and forensic investigations.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the Neo4j query log files (typically query.log) for suspicious or forged log entries that do not correspond to actual executed queries.'}, {'type': 'paragraph', 'content': 'Look for log entries containing unexpected newline characters or injected queries that appear out of context.'}, {'type': 'paragraph', 'content': 'A practical approach is to search the query.log for suspicious patterns using commands like:'}, {'type': 'list_item', 'content': "grep -P '\\n' query.log # To find entries with newline characters"}, {'type': 'list_item', 'content': "grep 'MATCH (n:FakeQuery' query.log # To find known injected fake queries"}, {'type': 'paragraph', 'content': 'Additionally, reviewing logs for unexpected or malformed entries that could indicate log injection attempts is recommended.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, treat Neo4j query logs as plain text and avoid opening them in tools that interpret logs as HTML or execute embedded scripts.

Ensure that Neo4j is updated to version 2026.01 or later, where this issue is resolved.

Restrict authenticated user permissions to prevent unauthorized injection of control characters into transaction metadata.

Monitor logs regularly for suspicious entries and consider sanitizing or filtering log content before viewing in web-based or terminal-based tools.

Useful 0 Not Useful 0