Bitnami package
neo4j
pkg:bitnami/neo4j
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1524 | Cri | 9.8 | < 5.26.22 | 5.26.22 | Mar 11, 2026 | An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provi | |
| CVE-2026-1471 | Med | 6.5 | < 5.26.22 | 5.26.22 | Mar 11, 2026 | Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo e | |
| CVE-2026-1497 | Hig | 7.2 | < 5.26.22 | 5.26.22 | Mar 11, 2026 | Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently gran | |
| CVE-2026-1337 | — | < 2026.1.0 | 2026.1.0 | Feb 6, 2026 | Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a pr | ||
| CVE-2024-34517 | — | >= 5.0.0, < 5.20.0 | 5.20.0 | May 7, 2024 | The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. | ||
| CVE-2021-34371 | — | < 3.4.19 | 3.4.19 | Aug 5, 2021 | Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains. |
- affected < 5.26.22fixed 5.26.22
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provi
- affected < 5.26.22fixed 5.26.22
Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo e
- affected < 5.26.22fixed 5.26.22
Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently gran
- CVE-2026-1337Feb 6, 2026affected < 2026.1.0fixed 2026.1.0
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a pr
- CVE-2024-34517May 7, 2024affected >= 5.0.0, < 5.20.0fixed 5.20.0
The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access.
- CVE-2021-34371Aug 5, 2021affected < 3.4.19fixed 3.4.19
Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.