CVE-2026-1622 affects Neo4j Enterprise and Community editions before versions 2026.01.3 and 5.26.21. The vulnerability stems from the 'obfuscate_literals' setting in Neo4j's query logging mechanism, which is intended to redact sensitive literals from query logs. However, this setting does not obfuscate error messages generated by failed queries, resulting in sensitive data being written unredacted into local log files. An attacker with legitimate access to these log files and the ability to execute queries that cause errors can exploit this to glean sensitive information beyond their authorized access. This is a form of information disclosure classified under CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability requires local access to log files and privileges to run queries but does not require user interaction or network access. The CVSS 4.0 score is 4.8 (medium), reflecting limited attack vector (local), low complexity, and partial confidentiality impact. The vendor has addressed the issue by releasing patched versions and introducing a new configuration option 'db.logs.query.obfuscate_errors' to extend obfuscation to error messages. Proper permissions on log files are also recommended to limit exposure.

For European organizations using Neo4j databases, this vulnerability could lead to unauthorized disclosure of sensitive information through local log files. Attackers with legitimate access to the system and query execution rights could infer confidential data by analyzing error logs, potentially exposing business-critical or personal data. This risk is particularly relevant for sectors handling sensitive data such as finance, healthcare, and government agencies. Although the vulnerability requires local access and some privileges, insider threats or attackers who have gained limited access could exploit it to escalate information exposure. This could undermine compliance with GDPR and other data protection regulations due to unauthorized data disclosure. Additionally, the exposure of sensitive query data could assist attackers in crafting further attacks or gaining deeper insight into the database structure and contents.

European organizations should immediately upgrade Neo4j installations to versions 2026.01.3 or 5.26.21 or later, where this vulnerability is fixed. After upgrading, enable the new configuration setting 'db.logs.query.obfuscate_errors' to ensure error messages are also obfuscated in logs. Review and tighten permissions on local log files to restrict access strictly to authorized personnel and processes. Implement monitoring and alerting on log file access to detect unauthorized attempts. Limit the number of users who can execute queries that may generate errors and review user privileges regularly. Consider isolating Neo4j instances and logs on secure, access-controlled systems to reduce insider threat risks. Conduct audits of existing logs to identify any potential data leakage prior to patching. Finally, integrate these practices into the organization's security policy and incident response plans.