Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-2pq5-3q89-j7cc: Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879

0
Critical
Published: 07/06/2026 (07/06/2026, 21:22:43 UTC)
Source: GCVE Database
Product: langroid

Description

Langroid's Neo4jChatAgent executes Cypher queries generated by large language models (LLMs) without validation or allowlisting, allowing prompt injection attacks. An attacker able to influence the prompt can execute arbitrary Cypher queries, leading to unauthorized read, write, and deletion of graph data. If APOC or dbms.security procedures are enabled, this can escalate to remote code execution (RCE) and filesystem access. This vulnerability mirrors a previously fixed SQL injection issue in the same project but remains unpatched for the Neo4j module. Versions of Langroid prior to 0.65.5 are affected.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected software

PyPIghsa
langroid
Affected versions
<0.65.5

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 23:10:51 UTC

Technical Analysis

The Neo4jChatAgent component in Langroid passes LLM-generated Cypher queries directly to the Neo4j driver without any validation, statement-type allowlist, or opt-out mechanism. This lack of filtering allows attackers who can influence the prompt input (directly or indirectly via retrieval-augmented generation) to execute arbitrary Cypher queries. The read path uses session.run(query) with no validation, and the write path uses session.write_transaction(tx.run(query)) with only minimal substring checks that do not block dangerous queries. This contrasts with the SQLChatAgent, which enforces strict validation and an opt-in gate to prevent dangerous SQL operations. The vulnerability enables unauthorized data access and destruction, and when APOC or dbms.security procedures are enabled on the Neo4j server, it can lead to OS command execution and filesystem access. This is a prompt-to-Cypher injection vulnerability classified under CWE-74 and is a critical security issue. The affected versions are all Langroid versions before 0.65.5. No official patch or fix is currently documented.

Potential Impact

An attacker who can influence the prompt input to the Neo4jChatAgent can execute arbitrary Cypher queries on the Neo4j database. At minimum, this allows unauthorized reading of all graph data, full write and destructive operations (including deleting all nodes), and SSRF via LOAD CSV remote fetch. If the Neo4j server has APOC or dbms.security procedures enabled and granted to the database role, the attacker can execute OS commands and access the filesystem, effectively achieving remote code execution. This vulnerability can lead to complete compromise of the graph database and underlying host system, depending on server configuration.

Mitigation Recommendations

No official patch or fix is currently documented for this vulnerability. Users should consider disabling or restricting the use of Neo4jChatAgent until a fix is available. Applying strict validation and allowlisting of Cypher queries before execution, similar to the SQLChatAgent's approach, is recommended as a mitigation strategy. Monitor vendor advisories for updates or patches addressing this issue. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-2pq5-3q89-j7cc
Osv Schema Version
1.4.0
Aliases
["CVE-2026-55615"]
Ecosystems
["PyPI"]
Database Specific Severity
CRITICAL
Cvss Version
4.0

Threat ID: 6a4c33ff27e9c797195f5c85

Added to database: 07/06/2026, 23:02:23 UTC

Last enriched: 07/06/2026, 23:10:51 UTC

Last updated: 07/06/2026, 23:10:51 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses