CVE-2026-1622

Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.

CVSS

No CVSS.

References

Link	Resource
https://neo4j.com/security/CVE-2026-1622

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Las versiones de Neo4j Enterprise y Community editions anteriores a 2026.01.3 y 5.26.21 son vulnerables a una potencial revelación de información por parte de un usuario que tiene la capacidad de acceder a los archivos de registro locales. La opción 'obfuscate_literals' en los registros de consulta no redacta la información de error, exponiendo datos no redactados en el registro de consulta cuando un cliente escribe una consulta que falla. Puede permitir a un usuario con acceso legítimo a los archivos de registro locales obtener información que no está autorizado a ver. Si este usuario también está en posición de ejecutar consultas y activar errores, esta vulnerabilidad puede potencialmente ayudarles a inferir información que no están autorizados a ver a través de su acceso previsto a la base de datos. Recomendamos actualizar a las versiones 2026.01.3 (o 5.26.21) donde se soluciona el problema, y revisar los permisos de los archivos de registro de consulta para asegurar un acceso restringido. Si su configuración tenía 'db.logs.query.obfuscate_literals' habilitado, y desea que la ofuscación también cubra los mensajes de error, debe habilitar la nueva configuración 'db.logs.query.obfuscate_errors' una vez que haya actualizado Neo4j.

04 Feb 2026, 11:16

Type	Values Removed	Values Added
Summary	(en) Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literal enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.	(en) Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.

04 Feb 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 10:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1622

Mitre link : CVE-2026-1622

CVE.ORG link : CVE-2026-1622

JSON object : View

Products Affected

No product.

CWE

CWE-532

Insertion of Sensitive Information into Log File

JSON object

Attach tags to CVE-2026-1622

Attach tags to `CVE-2026-1622`