CVE-2026-1622
Information Disclosure via Unredacted Query Logs in Neo4j
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: Neo4j
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neo4j | neo4j | to 2026.01.3 (exc) |
| neo4j | neo4j | to 5.26.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Neo4j Enterprise and Community editions prior to versions 2026.01.3 and 5.26.21. It involves the query log feature where the "obfuscate_literals" option does not redact error information. As a result, unredacted data can appear in the query logs when a query fails.
A user who has legitimate access to the local log files can potentially see information they are not authorized to view. If this user can also run queries that trigger errors, they might infer sensitive information through these error messages.
The issue is fixed in versions 2026.01.3 and 5.26.21, and there is a new configuration setting "db.logs.query.obfuscate_errors" to ensure error messages are also obfuscated.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized information disclosure. A user with access to local log files might obtain sensitive data that should be protected.
If such a user can run queries that cause errors, they could exploit the unredacted error messages in the logs to infer additional confidential information.
This could compromise the confidentiality of your database information and potentially expose sensitive business or personal data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Neo4j installation is running a version prior to 2026.01.3 or 5.26.21 and if the query log configuration option "obfuscate_literals" is enabled without the new "obfuscate_errors" setting.
Additionally, reviewing the permissions on local log files to see if unauthorized users have access can help detect exposure.
Specific commands are not provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Neo4j to version 2026.01.3 or 5.26.21 where the vulnerability is fixed.
Review and restrict permissions on query log files to ensure only authorized users have access.
If the configuration had db.logs.query.obfuscate_literals enabled, after upgrading, enable the new setting db.logs.query.obfuscate_errors to ensure error messages are also obfuscated.