Vulnerability DatabaseCVE-2026-1622
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-1622
February 04, 2026
Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.
Affected Packages
https://github.com/neo4j/neo4j.git (GITHUB):
Affected version(s) >=2025.01.0 <2026.01.3
Fix Suggestion:
Update to version 2026.01.3
https://github.com/neo4j/neo4j.git (GITHUB):
Affected version(s) >=1.0.0 <5.26.21
Fix Suggestion:
Update to version 5.26.21
org.neo4j:neo4j (JAVA):
Affected version(s) >=1.2.M03 <5.26.21
Fix Suggestion:
Update to version 5.26.21
org.neo4j:neo4j-configuration (JAVA):
Affected version(s) >=2025.01.0 <2026.01.3
Fix Suggestion:
Update to version 2026.01.3
org.neo4j:neo4j-configuration (JAVA):
Affected version(s) >=3.2.0-alpha02 <5.26.21
Fix Suggestion:
Update to version 5.26.21
org.neo4j:neo4j (JAVA):
Affected version(s) >=2025.01.0 <2026.01.3
Fix Suggestion:
Update to version 2026.01.3
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (3)
https://github.com/neo4j/neo4j
https://neo4j.com/security/CVE-2026-1622
https://nvd.nist.gov/vuln/detail/CVE-2026-1622
Do you need more information?
Contact Us
CVSS v4
Base Score:
4.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information into Log File
CWE-532
EPSS
Base Score:
0.01