CVE-2026-1497 is a security vulnerability classified under CWE-863 (Incorrect Authorization) affecting Neo4j Enterprise Edition versions prior to 2026.02 and 5.26.22. The issue stems from improper handling of namespaces within composite databases. When an administrator attempts to grant a user access to a remote database constituent identified as "namespace.name", the system incorrectly resolves the namespace and instead grants access to any local database or remote alias named "name". This misauthorization can lead to unintended privilege escalation, as the user gains access to databases or aliases not originally intended. Furthermore, if the targeted database or alias does not exist at the time of the access grant, the privileges will apply retroactively if such a database or alias is created later. This behavior can result in persistent unauthorized access. The vulnerability requires an administrator with limited privileges to execute the grant command and some user interaction, but does not require bypassing authentication mechanisms. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial privileges required, user interaction needed, and low impact on confidentiality, integrity, and availability, culminating in a low severity rating. No public exploits have been reported, and no patches are linked in the provided data, though upgrading to versions 2026.02 or 5.26.22 is implied as the remediation path.

The primary impact of CVE-2026-1497 is unauthorized access to databases or aliases within Neo4j composite database environments. This can lead to privilege escalation where users gain access to sensitive data or perform unauthorized operations on databases they should not access. The retroactive application of privileges to databases created after the grant increases the risk of persistent unauthorized access, potentially compromising data confidentiality and integrity. However, the impact is somewhat limited by the requirement that an administrator with some privileges perform the access grant, and that user interaction is needed. The vulnerability does not allow remote code execution or denial of service directly. Organizations relying on Neo4j Enterprise Edition for critical data storage and analytics could face data leakage or compliance violations if this vulnerability is exploited. The low CVSS score reflects the limited scope and complexity, but the risk remains significant in environments with complex composite database setups and multiple aliases.

To mitigate CVE-2026-1497, organizations should upgrade Neo4j Enterprise Edition to versions 2026.02 or 5.26.22 or later, where the namespace resolution issue is fixed. Until upgrades are applied, administrators should exercise caution when granting access to remote database constituents, explicitly verifying the existence and naming of local databases and aliases to avoid unintended privilege grants. Implement strict access control policies limiting which administrators can grant database access, and audit all privilege grants for anomalies. Monitoring for creation of new databases or aliases that could inherit unintended privileges is recommended. Additionally, consider isolating sensitive databases to minimize the risk of privilege escalation through namespace confusion. Regularly review Neo4j security advisories for updates or patches addressing this and related vulnerabilities.