CVE-2025-12738

Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed.

CVSS

No CVSS.

References

Link	Resource
https://neo4j.com/security/CVE-2025-12738

Configurations

No configuration.

History

22 Jan 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 15:16

Updated : 2026-01-26 15:04

NVD link : CVE-2025-12738

Mitre link : CVE-2025-12738

CVE.ORG link : CVE-2025-12738

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-12738", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-22T15:16:47.127", "references": [{"url": "https://neo4j.com/security/CVE-2025-12738", "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property.\nWe recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed."}], "lastModified": "2026-01-26T15:04:33.567", "sourceIdentifier": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6"}

CVE-2025-12738

JSON object

Attach tags to CVE-2025-12738

Attach tags to `CVE-2025-12738`