CVE-2026-1524 identifies an incorrect authorization vulnerability (CWE-863) in the Neo4j Enterprise Edition's SSO implementation affecting versions prior to 2026.02. The flaw occurs when an administrator configures two or more OpenID Connect (OIDC) providers, assigning some as authorization providers and others as authentication-only. In this scenario, the authentication-only providers inadvertently also provide authorization capabilities. This misbehavior becomes a security risk if the authentication-only provider contains groups with higher privileges than those granted by the intended authorization provider. The root cause is a logic error in handling multiple plugins for authentication and authorization, where the system fails to properly segregate authentication-only plugins from authorization functions. The vulnerability requires administrative privileges to configure the OIDC providers in this specific manner, and no user interaction is needed to exploit it. The CVSS 4.0 score is 2.1, reflecting low severity due to the complexity of exploitation and limited impact scope. The issue is resolved in Neo4j version 2026.02 (also referenced as 5.26.22). No public exploits have been reported, indicating limited active threat. This vulnerability highlights the importance of careful configuration and segregation of authentication and authorization roles in multi-provider SSO environments.

The primary impact of CVE-2026-1524 is unauthorized privilege escalation within Neo4j Enterprise Edition environments using multiple OIDC providers. If exploited, users authenticated via an authentication-only provider could gain higher privileges than intended, potentially accessing or modifying sensitive graph data beyond their authorization scope. This could lead to data confidentiality breaches, unauthorized data manipulation, and potential disruption of database integrity. However, exploitation requires complex administrative misconfiguration, limiting the likelihood and scope of attacks. Organizations relying on Neo4j for critical data analytics, identity management, or infrastructure could face risks of insider threats or misconfigured access controls being exploited. Since Neo4j is used globally in sectors such as finance, telecommunications, and government, the vulnerability could impact sensitive systems if left unpatched. The absence of known exploits and the low CVSS score suggest limited immediate risk, but the potential for privilege escalation warrants timely remediation to maintain secure access controls.

To mitigate CVE-2026-1524, organizations should upgrade Neo4j Enterprise Edition to version 2026.02 or later (or 5.26.22), where the vulnerability is fixed. Administrators should audit their OIDC provider configurations to ensure that providers designated as authentication-only do not inadvertently grant authorization privileges. Avoid configuring multiple OIDC providers with overlapping or conflicting roles unless necessary, and verify group privilege assignments carefully to prevent privilege escalation. Implement strict change management and configuration review processes for SSO setups. Additionally, monitor Neo4j access logs for unusual privilege escalations or access patterns. Employ role-based access controls (RBAC) and least privilege principles to minimize the impact of any misconfiguration. Finally, maintain up-to-date backups and test recovery procedures to mitigate potential data integrity issues arising from unauthorized access.