CVE-2026-55615
Received Received - Intake

Prompt Injection Leading to Arbitrary Cypher Execution in Langroid

Vulnerability report for CVE-2026-55615, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection (direct user input or indirect content the agent reads back via RAG), so an attacker who can influence the prompt can read or destroy all graph data and, when APOC or dbms.security procedures are enabled on the server, achieve OS-command and filesystem access. This is the same defect class and threat model as the SQLChatAgent prompt-to-SQL-to-RCE issue fixed in version 0.63.0 (CVE-2026-25879); that fix did not extend to the neo4j module. Version 0.65.5 contains a fix for the neo4j module.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
langroid langroid 0.65.5
langroid langroid to 0.65.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Langroid framework's Neo4jChatAgent component, which executes large-language-model-generated Cypher queries without any validation or restrictions. Because the query text can be influenced by prompt injectionβ€”where an attacker manipulates the input promptsβ€”the attacker can execute arbitrary Cypher commands on the Neo4j database.

This lack of validation means an attacker can read, modify, or destroy all graph data. Furthermore, if certain Neo4j procedures like APOC or dbms.security are enabled, the attacker can escalate the attack to remote code execution (RCE), filesystem access, or server-side request forgery (SSRF).

The vulnerability was fixed in Langroid version 0.65.5 by adding validation layers and a security gate to restrict dangerous operations, similar to a previous fix for a related SQLChatAgent vulnerability.

Impact Analysis

If you use the vulnerable versions of Langroid (prior to 0.65.5), an attacker who can influence the prompts sent to Neo4jChatAgent can exploit this vulnerability to:

  • Read all graph data without authorization.
  • Modify or delete graph data, potentially causing data loss or corruption.
  • Achieve remote code execution (RCE) on the server if APOC or dbms.security procedures are enabled.
  • Access the filesystem or perform server-side request forgery (SSRF) attacks.

These impacts can lead to severe data breaches, system compromise, and loss of service integrity.

Detection Guidance

Detection of this vulnerability involves identifying whether the Langroid Neo4jChatAgent is running a vulnerable version (prior to 0.65.5) that executes LLM-generated Cypher queries without validation.

Since the vulnerability arises from unvalidated Cypher queries influenced by prompt injection, monitoring logs for unusual or unexpected Cypher queries, especially those containing dangerous operations like LOAD CSV, apoc.*, or dbms.* procedures, can help detect exploitation attempts.

Commands to detect suspicious activity might include querying Neo4j query logs or audit logs for such patterns. For example, using Neo4j's query log or monitoring tools to search for queries containing keywords like 'LOAD CSV', 'apoc.', or 'dbms.' could be useful.

Additionally, checking the version of Langroid in use can be done by inspecting the installed package version, e.g., using a command like `pip show langroid` or checking the version in the application environment.

Mitigation Strategies

The primary mitigation step is to upgrade Langroid to version 0.65.5 or later, where the vulnerability is fixed by adding validation and a security gate (`allow_dangerous_operations`) to the Neo4jChatAgent and ArangoChatAgent.

Additionally, users should configure the agents to disallow dangerous operations by default and only enable them explicitly if necessary.

Implement least-privilege database roles to restrict what the Neo4jChatAgent can do, minimizing the impact of any potential injection.

Avoid enabling APOC or dbms.security procedures unless absolutely required, as these increase the risk of remote code execution or filesystem access if exploited.

Compliance Impact

This vulnerability allows attackers to read, modify, or destroy all graph data in the affected Langroid Neo4jChatAgent, potentially leading to unauthorized access and data breaches.

Such unauthorized data access and potential data destruction can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Additionally, if the Neo4j server has certain procedures enabled (like APOC or dbms.security), attackers could escalate to remote code execution or filesystem access, increasing the risk of broader system compromise and further regulatory violations.

Therefore, organizations using vulnerable versions of Langroid prior to 0.65.5 may face compliance risks due to potential data breaches and loss of control over sensitive data.

Mitigation involves upgrading to version 0.65.5, applying validation and safety gates, and enforcing least-privilege database roles to reduce the risk of unauthorized data exposure and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart