Platform
other
Component
neo4j-enterprise-edition
Fixed in
5.26.22
2026.02
CVE-2026-1524 describes an authorization bypass vulnerability affecting Neo4j Enterprise Edition versions before 2026.02. This flaw arises from a specific edge case in the Single Sign-On (SSO) implementation where misconfigured OIDC providers can grant unauthorized access. Exploitation requires a complex setup involving multiple OIDC providers, some configured for authentication only, potentially leading to privilege escalation.
The vulnerability stems from a misconfiguration scenario within Neo4j's SSO functionality. If an administrator configures multiple OIDC providers, designates some as authorization providers, and others as authentication-only, the authentication-only providers can inadvertently grant authorization privileges. This occurs when these authentication-only providers contain groups with elevated privileges exceeding those intended by the administrator's authorization configuration. An attacker could exploit this by leveraging a compromised or malicious authentication-only provider to gain administrative access to the Neo4j instance, potentially leading to data breaches, system compromise, and denial of service. The blast radius extends to any sensitive data stored and managed within the Neo4j graph database.
CVE-2026-1524 was publicly disclosed on 2026-03-11. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is currently unavailable. The vulnerability requires a specific and complex configuration, which may limit its immediate exploitability, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-1524 is to upgrade Neo4j Enterprise Edition to version 2026.02 or later, which contains the fix. If an immediate upgrade is not feasible, carefully review and correct the OIDC provider configuration. Ensure that only intended authorization providers are configured for authorization, and that authentication-only providers do not inadvertently grant elevated privileges. Implement strict access controls and regularly audit SSO configurations to prevent future misconfigurations. Consider implementing a Web Application Firewall (WAF) with rules to detect and block requests attempting to exploit this bypass, although this is not a substitute for patching.
Upgrade Neo4j Enterprise Edition to version 5.26.22 or later, or to version 2026.02 or later. This corrects the authentication misconfiguration when multiple providers are enabled, preventing unauthorized access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1524 is a vulnerability in Neo4j Enterprise Edition versions prior to 2026.02 where misconfigured OIDC providers can lead to unauthorized access due to an edgecase in the SSO implementation.
You are affected if you are running Neo4j Enterprise Edition versions before 2026.02 and have configured multiple OIDC providers, some for authentication only, with groups having elevated privileges.
Upgrade to Neo4j Enterprise Edition version 2026.02 or later. If immediate upgrade is not possible, review and correct your OIDC provider configurations to ensure proper authorization.
There is currently no public information indicating active exploitation of CVE-2026-1524.
Refer to the official Neo4j security advisory for CVE-2026-1524 on the Neo4j website (https://neo4j.com/security/).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.