CVE-2026-1622 is a vulnerability classified under CWE-532, which concerns the insertion of sensitive information into log files. In affected versions of Neo4j Enterprise and Community editions prior to 2026.01.3 and 5.26.21, the query logging feature includes an 'obfuscate_literals' option intended to redact sensitive literals in query logs. However, this option does not redact error messages generated by failed queries, resulting in unredacted sensitive data being written to local log files. A user with legitimate access to these local logs and the ability to execute queries that cause errors can exploit this to glean information they are not authorized to see, effectively leading to information disclosure. This vulnerability requires local access to log files and query execution privileges but does not require authentication beyond that or user interaction. The issue is addressed in the fixed versions by introducing a new configuration setting, 'db.logs.query.obfuscate_errors,' which extends obfuscation to error messages. Additionally, reviewing and restricting permissions on query log files is recommended to prevent unauthorized access. The vulnerability has a CVSS 4.8 score, indicating medium severity, with a vector showing local attack vector, low complexity, no privileges required beyond query execution, and no user interaction needed.

For European organizations using Neo4j databases, this vulnerability poses a risk of unauthorized information disclosure through local log files. Attackers or malicious insiders with access to the system and the ability to run queries can extract sensitive data from error messages logged in plaintext. This can lead to leakage of confidential business information, personally identifiable information (PII), or intellectual property, depending on the nature of the queries and data stored. The impact is particularly significant for sectors with strict data protection regulations such as GDPR, where unauthorized data exposure can result in regulatory penalties and reputational damage. Additionally, organizations relying on Neo4j for critical infrastructure or sensitive analytics may face increased risk of data breaches or competitive intelligence gathering. Since exploitation requires local access and query execution rights, the threat is more relevant in environments with multiple users or less restrictive access controls. The medium severity rating reflects the moderate risk, but the potential for sensitive data leakage warrants prompt remediation.

To mitigate CVE-2026-1622, organizations should immediately upgrade Neo4j to versions 2026.01.3 or 5.26.21 where the vulnerability is fixed. After upgrading, enable the new configuration setting 'db.logs.query.obfuscate_errors' to ensure error messages in query logs are also obfuscated. Review and tighten permissions on local log files to restrict access only to trusted administrators and service accounts, minimizing the risk of unauthorized log file reading. Implement strict access controls and monitoring on systems hosting Neo4j to detect and prevent unauthorized query executions and local file access. Consider segregating duties so that users who can run queries do not have access to log files, reducing the attack surface. Regularly audit log files and access permissions to ensure compliance with security policies. Additionally, educate database administrators and users about the risks of sensitive data exposure through logs and encourage secure query practices to minimize error generation with sensitive literals.