VYPR
← All advisories
Low severityNVD Advisory· Published Jan 22, 2026· Updated Apr 15, 2026

CVE-2025-12738

CVE-2025-12738

Description

Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Neo4j Enterprise edition prior to 2025.11.2 and 5.26.17 has an information disclosure vulnerability where attackers with legitimate access can infer property values via error messages during SET property operations.

Neo4j Enterprise editions prior to 2025.11.2 and 5.26.17 are vulnerable to an information disclosure flaw. The root cause lies in the error messages returned when a user attempts to SET a property value; these messages differ based on whether the operation fails due to the property's current value, enabling an oracle-like behavior [1].

An attacker who already has some legitimate database access—but lacks read permission on a specific property—can exploit this by enumerating possible property values through successive SET attempts. By observing error responses, they can infer the actual value without direct read access [1].

The impact is the potential disclosure of property values that the attacker should not be able to access. While the severity is rated Low, it represents a violation of access controls. The vulnerability is fixed in versions 2025.11.2 and 5.26.17, and the fully managed AuraDB service is not affected. Upgrading to these or later versions is recommended [1].

References
  1. CVE-2025-12738

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.