anonhaven
Ad

CVE-2026-1524

LOW CVSS 4.0: 2.1 EPSS 0.04%
Updated Mar 11, 2026
An
Parameter Value
CVSS 2.1 (LOW)
Affected Versions before 2026.02
Type CWE-863 (Incorrect Authorization), CWE-287 (Improper Authentication)
Vendor An
Public PoC No

An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider. When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities.

We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-863 Incorrect Authorization
CWE-287 Improper Authentication

References 1

https://neo4j.com/security/CVE-2026-1524
3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6
Share Post Share Share Share