CVE-2026-1524: CWE-863 Incorrect Authorization in neo4j Enterprise Edition
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider. When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities. We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.
AI Analysis
Technical Summary
CVE-2026-1524 is an authorization bypass vulnerability classified under CWE-863 (Incorrect Authorization) and CWE-287 (Improper Authentication) affecting Neo4j Enterprise Edition's SSO implementation. The flaw manifests when an administrator configures two or more OpenID Connect (OIDC) providers, assigning some as authorization providers and others as authentication-only. In this edge case, the system erroneously grants authorization capabilities to authentication-only providers. This misassignment becomes critical if the authentication-only provider includes groups with privileges exceeding those granted by the designated authorization provider, effectively allowing privilege escalation. The vulnerability stems from improper separation of authentication and authorization logic in the multi-provider SSO setup. Exploitation requires administrative configuration of OIDC providers and high privileges but does not require user interaction. The vulnerability affects versions from 4.4.0 through 2025.01 and was publicly disclosed in March 2026. The vendor has addressed the issue in versions 2026.02 and 5.26.22. The CVSS 4.0 base score is 2.1, reflecting low severity due to the complexity and prerequisites for exploitation.
Potential Impact
The primary impact of CVE-2026-1524 is unauthorized privilege escalation within Neo4j Enterprise environments using multi-provider OIDC SSO configurations. Attackers or misconfigured administrators could gain elevated access rights beyond intended authorization boundaries, potentially exposing sensitive graph data or allowing unauthorized modifications. This could undermine data confidentiality and integrity, especially in environments where Neo4j holds critical or sensitive information. However, the impact is limited by the requirement for administrative configuration access and the absence of remote exploitation without prior privileges. Organizations relying on Neo4j for critical infrastructure, data analytics, or enterprise applications could face increased insider threat risks or accidental privilege misassignments leading to data exposure or corruption.
Mitigation Recommendations
To mitigate this vulnerability, organizations should upgrade Neo4j Enterprise Edition to version 2026.02 or 5.26.22 where the issue is resolved. Until upgrading, administrators must carefully review and avoid configurations that combine multiple OIDC providers with mixed roles (authorization and authentication-only) to prevent unintended privilege grants. Specifically, avoid assigning higher privilege groups to authentication-only providers or ensure that authentication-only providers do not contain groups with elevated privileges. Conduct thorough audits of OIDC provider configurations and group privilege assignments. Implement strict role-based access controls and monitor authentication and authorization logs for anomalies. Additionally, restrict administrative access to Neo4j configuration settings to trusted personnel only. Employ defense-in-depth by isolating Neo4j instances and limiting network access to trusted users and systems.
Affected Countries
United States, Germany, United Kingdom, France, Japan, Canada, Australia, Netherlands, Sweden, South Korea
CVE-2026-1524: CWE-863 Incorrect Authorization in neo4j Enterprise Edition
Description
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider. When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities. We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1524 is an authorization bypass vulnerability classified under CWE-863 (Incorrect Authorization) and CWE-287 (Improper Authentication) affecting Neo4j Enterprise Edition's SSO implementation. The flaw manifests when an administrator configures two or more OpenID Connect (OIDC) providers, assigning some as authorization providers and others as authentication-only. In this edge case, the system erroneously grants authorization capabilities to authentication-only providers. This misassignment becomes critical if the authentication-only provider includes groups with privileges exceeding those granted by the designated authorization provider, effectively allowing privilege escalation. The vulnerability stems from improper separation of authentication and authorization logic in the multi-provider SSO setup. Exploitation requires administrative configuration of OIDC providers and high privileges but does not require user interaction. The vulnerability affects versions from 4.4.0 through 2025.01 and was publicly disclosed in March 2026. The vendor has addressed the issue in versions 2026.02 and 5.26.22. The CVSS 4.0 base score is 2.1, reflecting low severity due to the complexity and prerequisites for exploitation.
Potential Impact
The primary impact of CVE-2026-1524 is unauthorized privilege escalation within Neo4j Enterprise environments using multi-provider OIDC SSO configurations. Attackers or misconfigured administrators could gain elevated access rights beyond intended authorization boundaries, potentially exposing sensitive graph data or allowing unauthorized modifications. This could undermine data confidentiality and integrity, especially in environments where Neo4j holds critical or sensitive information. However, the impact is limited by the requirement for administrative configuration access and the absence of remote exploitation without prior privileges. Organizations relying on Neo4j for critical infrastructure, data analytics, or enterprise applications could face increased insider threat risks or accidental privilege misassignments leading to data exposure or corruption.
Mitigation Recommendations
To mitigate this vulnerability, organizations should upgrade Neo4j Enterprise Edition to version 2026.02 or 5.26.22 where the issue is resolved. Until upgrading, administrators must carefully review and avoid configurations that combine multiple OIDC providers with mixed roles (authorization and authentication-only) to prevent unintended privilege grants. Specifically, avoid assigning higher privilege groups to authentication-only providers or ensure that authentication-only providers do not contain groups with elevated privileges. Conduct thorough audits of OIDC provider configurations and group privilege assignments. Implement strict role-based access controls and monitor authentication and authorization logs for anomalies. Additionally, restrict administrative access to Neo4j configuration settings to trusted personnel only. Employ defense-in-depth by isolating Neo4j instances and limiting network access to trusted users and systems.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Neo4j
- Date Reserved
- 2026-01-28T11:20:54.690Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b1988f2f860ef9433d150f
Added to database: 3/11/2026, 4:30:07 PM
Last enriched: 3/18/2026, 7:08:56 PM
Last updated: 4/28/2026, 1:38:07 AM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.