GHSA-2pq5-3q89-j7cc: Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Langroid's Neo4jChatAgent executes Cypher queries generated by large language models (LLMs) without validation or allowlisting, allowing prompt injection attacks. An attacker able to influence the prompt can execute arbitrary Cypher queries, leading to unauthorized read, write, and deletion of graph data. If APOC or dbms.security procedures are enabled, this can escalate to remote code execution (RCE) and filesystem access. This vulnerability mirrors a previously fixed SQL injection issue in the same project but remains unpatched for the Neo4j module. Versions of Langroid prior to 0.65.5 are affected.
AI Analysis
Technical Summary
The Neo4jChatAgent component in Langroid passes LLM-generated Cypher queries directly to the Neo4j driver without any validation, statement-type allowlist, or opt-out mechanism. This lack of filtering allows attackers who can influence the prompt input (directly or indirectly via retrieval-augmented generation) to execute arbitrary Cypher queries. The read path uses session.run(query) with no validation, and the write path uses session.write_transaction(tx.run(query)) with only minimal substring checks that do not block dangerous queries. This contrasts with the SQLChatAgent, which enforces strict validation and an opt-in gate to prevent dangerous SQL operations. The vulnerability enables unauthorized data access and destruction, and when APOC or dbms.security procedures are enabled on the Neo4j server, it can lead to OS command execution and filesystem access. This is a prompt-to-Cypher injection vulnerability classified under CWE-74 and is a critical security issue. The affected versions are all Langroid versions before 0.65.5. No official patch or fix is currently documented.
Potential Impact
An attacker who can influence the prompt input to the Neo4jChatAgent can execute arbitrary Cypher queries on the Neo4j database. At minimum, this allows unauthorized reading of all graph data, full write and destructive operations (including deleting all nodes), and SSRF via LOAD CSV remote fetch. If the Neo4j server has APOC or dbms.security procedures enabled and granted to the database role, the attacker can execute OS commands and access the filesystem, effectively achieving remote code execution. This vulnerability can lead to complete compromise of the graph database and underlying host system, depending on server configuration.
Mitigation Recommendations
No official patch or fix is currently documented for this vulnerability. Users should consider disabling or restricting the use of Neo4jChatAgent until a fix is available. Applying strict validation and allowlisting of Cypher queries before execution, similar to the SQLChatAgent's approach, is recommended as a mitigation strategy. Monitor vendor advisories for updates or patches addressing this issue. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
GHSA-2pq5-3q89-j7cc: Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Description
Langroid's Neo4jChatAgent executes Cypher queries generated by large language models (LLMs) without validation or allowlisting, allowing prompt injection attacks. An attacker able to influence the prompt can execute arbitrary Cypher queries, leading to unauthorized read, write, and deletion of graph data. If APOC or dbms.security procedures are enabled, this can escalate to remote code execution (RCE) and filesystem access. This vulnerability mirrors a previously fixed SQL injection issue in the same project but remains unpatched for the Neo4j module. Versions of Langroid prior to 0.65.5 are affected.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Neo4jChatAgent component in Langroid passes LLM-generated Cypher queries directly to the Neo4j driver without any validation, statement-type allowlist, or opt-out mechanism. This lack of filtering allows attackers who can influence the prompt input (directly or indirectly via retrieval-augmented generation) to execute arbitrary Cypher queries. The read path uses session.run(query) with no validation, and the write path uses session.write_transaction(tx.run(query)) with only minimal substring checks that do not block dangerous queries. This contrasts with the SQLChatAgent, which enforces strict validation and an opt-in gate to prevent dangerous SQL operations. The vulnerability enables unauthorized data access and destruction, and when APOC or dbms.security procedures are enabled on the Neo4j server, it can lead to OS command execution and filesystem access. This is a prompt-to-Cypher injection vulnerability classified under CWE-74 and is a critical security issue. The affected versions are all Langroid versions before 0.65.5. No official patch or fix is currently documented.
Potential Impact
An attacker who can influence the prompt input to the Neo4jChatAgent can execute arbitrary Cypher queries on the Neo4j database. At minimum, this allows unauthorized reading of all graph data, full write and destructive operations (including deleting all nodes), and SSRF via LOAD CSV remote fetch. If the Neo4j server has APOC or dbms.security procedures enabled and granted to the database role, the attacker can execute OS commands and access the filesystem, effectively achieving remote code execution. This vulnerability can lead to complete compromise of the graph database and underlying host system, depending on server configuration.
Mitigation Recommendations
No official patch or fix is currently documented for this vulnerability. Users should consider disabling or restricting the use of Neo4jChatAgent until a fix is available. Applying strict validation and allowlisting of Cypher queries before execution, similar to the SQLChatAgent's approach, is recommended as a mitigation strategy. Monitor vendor advisories for updates or patches addressing this issue. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-2pq5-3q89-j7cc
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-55615"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 4.0
Threat ID: 6a4c33ff27e9c797195f5c85
Added to database: 07/06/2026, 23:02:23 UTC
Last enriched: 07/06/2026, 23:10:51 UTC
Last updated: 07/06/2026, 23:10:51 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.