Insufficient escaping of unicode characters in query log
Description
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.
Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Neo4j query logs insufficiently escape Unicode/control characters, enabling XSS or log injection when logs are viewed in HTML-aware tools; no direct impact on Neo4j itself.
Vulnerability
CVE-2026-1337 arises from insufficient escaping of Unicode characters in the query log of Neo4j Enterprise and Community editions prior to version 2026.01. [1] Specifically, an authenticated user can inject control characters (e.g., newlines) via the metadata field of a Bolt transaction, causing the query log to contain unescaped HTML or fake log entries. [2] The log files are not sanitized for HTML, so opening them in a browser or HTML-aware viewer can trigger cross-site scripting (XSS).
Exploitation
Exploitation requires an authenticated Neo4j user with the ability to execute queries and attach custom metadata to a Bolt transaction. [2] The attacker crafts a metadata payload containing Unicode or control characters (e.g., \n plus arbitrary log lines). When the query is executed, the payload is written verbatim into the query log file. If an administrator or analyst subsequently opens that log file with a tool that treats it as HTML, the injected markup will be rendered, potentially executing script code. Alternatively, the injected newlines can produce fabricated log entries that mimic legitimate queries, enabling social engineering or audit trail manipulation. [2]
Impact
The primary impact is a client-side XSS attack against anyone who views the Neo4j query log in an HTML-capable viewer. The attacker could potentially steal cookies, session tokens, or perform actions within the log viewer’s context. Additionally, the log injection can obscure forensic evidence or mislead administrators by inserting fake query records. [2] However, the official advisory states there is no direct security impact on Neo4j server components themselves; the risk is confined to the log viewing process. [1]
Mitigation
Neo4j recommends treating query logs as plain text and not opening them in HTML-aware viewers unless using version 2026.01 or later. [1] The fix in version 2026.01 properly escapes Unicode and control characters before writing to the log file. Users on earlier versions should upgrade to the latest release. A proof of concept is available, but no active exploitation in the wild has been reported as of publication. [1][2]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.neo4j:neo4jMaven | < 2026.01 | 2026.01 |
Affected products
1- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-xr72-g735-4vwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1337ghsaADVISORY
News mentions
0No linked articles in our index yet.