CVE-2026-1622 – Neo4j Query Log Data Disclosure
CVE ID: CVE-2026-1622
Product: Neo4j (Enterprise & Community Editions)
Vulnerability Type: Sensitive Information Disclosure via Logs
CVSS Score: 4.8
Severity: Medium
Attack Vector: Local
Privileges Required: Low
User Interaction: None
Exploitability: Limited, but realistic in misconfigured or shared environments
Exploit Availability: No public weaponized exploit; proof-of-concept scenarios are possible for educational and defensive validation only
Official Patch / Upgrade Link: Link provide below
Overview
CVE-2026-1622 describes a logging-related information disclosure issue in Neo4j. Under certain conditions, sensitive data can be written to the query.log file in clear text, even when query obfuscation is enabled. The exposure occurs specifically through error messages generated by failed Cypher queries.
While Neo4j provides configuration options to hide literal values in query logs, these protections were not consistently applied to error output prior to the fix. As a result, error messages containing raw query fragments or parameter values could be logged without masking.
This vulnerability does not allow remote compromise of the database. However, it creates a risk where sensitive data may be unintentionally exposed to anyone with access to log files, backups, or centralized logging platforms.
Affected Components
- Neo4j Enterprise Edition (multiple supported branches before patch)
- Neo4j Community Edition (same affected branches)
- Logging subsystem, specifically
query.log
The issue is independent of operating system and applies to both bare-metal and containerized deployments.
Root Cause
The root cause lies in inconsistent application of log obfuscation logic. While query literals were masked during normal query logging, error messages generated during query failures bypassed this masking mechanism. These error messages were then written verbatim into query.log.
Because errors may echo user-supplied values (such as node properties, identifiers, tokens, or credentials), sensitive data could be persisted in log files.
Impact
If exploited or simply triggered unintentionally, the following types of data could be exposed in logs:
- Personally identifiable information (PII)
- Authentication tokens or API keys
- Internal object identifiers
- Email addresses or usernames
- Business-sensitive query parameters
The impact increases significantly in environments where:
- Logs are forwarded to SIEM or log aggregation platforms
- Logs are stored for long retention periods
- Multiple teams or third parties have read access to logs
- Containers expose logs via mounted volumes
Exploitation Details (Defensive)
How exploitation could occur
The vulnerability could be abused in the following way:
- A user with basic database access submits a deliberately malformed Cypher query.
- The query fails and generates an error message.
- The error message includes literal values supplied in the query.
- The error message is written unredacted into
query.log. - Anyone with access to the log file can read the sensitive values.
This does not require administrative database privileges. The key requirement is access to the log files themselves.
Proof-of-Concept (Educational)
A proof-of-concept does not require exploit code. It can be demonstrated safely by:
- Enabling query logging
- Executing a query designed to fail (e.g., type mismatch or invalid property)
- Reviewing
query.logfor unmasked literals in error lines
This should only be performed in a controlled lab environment for validation and training purposes.
Detection & Identification
Primary Log Source
query.log
Secondary Sources
neo4j.log- Centralized log platforms (SIEM, ELK, OpenSearch)
- Backup archives of Neo4j logs
Detection Queries
Linux / Unix
Search for error entries containing quoted literals:
grep -Ei "ERROR|Exception" query.log | grep -E "['\"][^'\"]{6,}['\"]"
Search for potential secrets or tokens:
grep -Ei "ERROR|Exception" query.log | grep -E "[A-Za-z0-9_\-]{20,}"
Elastic / OpenSearch Query
log.file.path : "*query.log" AND
(message : "ERROR" OR message : "Exception") AND
(message : "\"" OR message : "'")
Splunk SPL Example
index=neo4j_logs source="*query.log"
("ERROR" OR "Exception")
| regex _raw="['\"][^'\"]{6,}['\"]"
Indicators of Exposure
- Error messages containing full property values
- Long alphanumeric strings appearing in error logs
- Repeated error entries following failed queries
- Log entries containing email-like patterns or identifiers
MITRE Mapping
- CWE-532: Insertion of Sensitive Information into Log File
- ATT&CK (Contextual):
- Collection – Data from Local System
- Discovery – Local File Access
This vulnerability supports post-access data exposure rather than initial compromise.
Remediation
Primary Fix (Required)
Upgrade Neo4j to a fixed version as specified in the official advisory:
https://neo4j.com/security/CVE-2026-1622
The patch introduces consistent obfuscation for both queries and error messages.
Post-Upgrade Hardening
- Enable error obfuscation in Neo4j configuration:
- Ensure error messages are masked the same way as query literals
- Restrict file-system permissions on Neo4j log directories
- Review which services, users, and containers can read logs
- Sanitize or remove historic logs containing sensitive data
- Rotate any credentials found in log files
Risk Considerations
Although rated as Medium severity, the real-world risk depends heavily on operational practices. In environments with shared log access or long retention periods, the impact can be significant.
This vulnerability highlights a common but often overlooked risk: logs themselves can become a data-leak vector.
Conclusion
CVE-2026-1622 is a classic example of sensitive data exposure through application logs. While it does not allow remote compromise, it creates a silent risk where confidential data may be persistently stored and widely accessible.
Timely patching, strict log access controls, and proactive log monitoring are sufficient to fully mitigate this issue.
