CVE-2026-1337
Cross-Site Scripting in Neo4j Query Logs via Unicode Escaping
Publication date: 2026-02-06
Last updated on: 2026-02-24
Assigner: Neo4j
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neo4j | neo4j | to 2026.01 (exc) |
| neo4j | neo4j | to 2026.01 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1337 is a log injection vulnerability in Neo4j Enterprise and Community editions prior to version 2026.01. It occurs because Neo4j does not properly escape control characters in the metadata field of a Bolt transaction when logging queries in a non-JSON format.
An authenticated user can exploit this by injecting control characters, such as newline characters, into the transaction metadata. This causes the creation of fake log entries in the query log file that appear legitimate but correspond to queries that were never actually executed.
Additionally, this vulnerability can be used to inject malicious content like Cross-Site Scripting (XSS) payloads in web-based log viewers or ANSI escape sequences that could affect terminal-based log interactions.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated attacker to inject forged and misleading log entries into Neo4j's query logs. These fake entries can confuse administrators or automated systems that rely on logs for auditing or troubleshooting."}, {'type': 'paragraph', 'content': 'If logs are viewed in tools that interpret them as HTML, the injected content can lead to Cross-Site Scripting (XSS) attacks, potentially compromising the security of the log viewer environment.'}, {'type': 'paragraph', 'content': 'While there is no direct security impact on Neo4j products themselves, the integrity and trustworthiness of log data can be compromised, which may affect incident response and forensic investigations.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the Neo4j query log files (typically query.log) for suspicious or forged log entries that do not correspond to actual executed queries.'}, {'type': 'paragraph', 'content': 'Look for log entries containing unexpected newline characters or injected queries that appear out of context.'}, {'type': 'paragraph', 'content': 'A practical approach is to search the query.log for suspicious patterns using commands like:'}, {'type': 'list_item', 'content': "grep -P '\\n' query.log # To find entries with newline characters"}, {'type': 'list_item', 'content': "grep 'MATCH (n:FakeQuery' query.log # To find known injected fake queries"}, {'type': 'paragraph', 'content': 'Additionally, reviewing logs for unexpected or malformed entries that could indicate log injection attempts is recommended.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, treat Neo4j query logs as plain text and avoid opening them in tools that interpret logs as HTML or execute embedded scripts.
Ensure that Neo4j is updated to version 2026.01 or later, where this issue is resolved.
Restrict authenticated user permissions to prevent unauthorized injection of control characters into transaction metadata.
Monitor logs regularly for suspicious entries and consider sanitizing or filtering log content before viewing in web-based or terminal-based tools.