{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1497", "assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "state": "PUBLISHED", "assignerShortName": "Neo4j", "dateReserved": "2026-01-27T15:57:15.975Z", "datePublished": "2026-03-11T15:50:57.651Z", "dateUpdated": "2026-03-12T16:13:58.620Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "shortName": "Neo4j", "dateUpdated": "2026-03-11T15:50:57.651Z"}, "title": "Incorrect privilege assignment in composite databases", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "neo4j", "product": "Enterprise Edition", "versions": [{"status": "affected", "version": "5.0", "lessThan": "5.26.22", "versionType": "semver"}, {"status": "affected", "version": "2025.01", "lessThan": "2026.02", "versionType": "date"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.26.22"}, {"vulnerable": true, "criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.01", "versionEndExcluding": "2026.02"}]}]}], "descriptions": [{"lang": "en", "value": "Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:\u00a0\nan admin that intends to give a user an access to a remote database constituent \"namespace.name\" will inadvertently grant access to any local database or remote alias called \"name\". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:&nbsp;<br>an admin that intends to give a user an access to a remote database constituent \"namespace.name\" will inadvertently grant access to any local database or remote alias called \"name\". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.<br>"}]}], "references": [{"url": "https://neo4j.com/security/CVE-2026-1497", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Green"}}], "configurations": [{"lang": "en", "value": "This issue is only applicable if composite database feature is used.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This issue is only applicable if composite database feature is used."}]}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T16:13:44.666371Z", "id": "CVE-2026-1497", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:13:58.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1497", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T16:13:44.666371Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:13:52.468Z"}}], "cna": {"title": "Incorrect privilege assignment in composite databases", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 2, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "neo4j", "product": "Enterprise Edition", "versions": [{"status": "affected", "version": "5.0", "lessThan": "5.26.22", "versionType": "semver"}, {"status": "affected", "version": "2025.01", "lessThan": "2026.02", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://neo4j.com/security/CVE-2026-1497", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:\u00a0\nan admin that intends to give a user an access to a remote database constituent \"namespace.name\" will inadvertently grant access to any local database or remote alias called \"name\". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.", "supportingMedia": [{"type": "text/html", "value": "Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:&nbsp;<br>an admin that intends to give a user an access to a remote database constituent \"namespace.name\" will inadvertently grant access to any local database or remote alias called \"name\". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "configurations": [{"lang": "en", "value": "This issue is only applicable if composite database feature is used.", "supportingMedia": [{"type": "text/html", "value": "This issue is only applicable if composite database feature is used.", "base64": false}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.26.22", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2026.02", "versionStartIncluding": "2025.01"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "shortName": "Neo4j", "dateUpdated": "2026-03-11T15:50:57.651Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1497", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:13:58.620Z", "dateReserved": "2026-01-27T15:57:15.975Z", "assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "datePublished": "2026-03-11T15:50:57.651Z", "assignerShortName": "Neo4j"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2F0CBF4C-6B09-4AF9-9A75-C079D06F8791", "versionEndExcluding": "5.26.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E519E44D-D563-4A86-B4DB-9CBC391A28CF", "versionEndExcluding": "2026.02", "versionStartIncluding": "2025.01.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:\u00a0\nan admin that intends to give a user an access to a remote database constituent \"namespace.name\" will inadvertently grant access to any local database or remote alias called \"name\". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future."}, {"lang": "es", "value": "La resoluci\u00f3n incorrecta de espacios de nombres en bases de datos compuestas en Neo4j Enterprise edition anterior a las versiones 2026.02 y 5.26.22 puede llevar al siguiente escenario:\nun administrador que intenta dar a un usuario acceso a un constituyente de base de datos remoto 'namespace.name' conceder\u00e1 acceso inadvertidamente a cualquier base de datos local o alias remoto llamado 'name'. Si dicha base de datos o alias no existe cuando se ejecuta el comando, los privilegios se aplicar\u00e1n si se crea en el futuro."}], "id": "CVE-2026-1497", "lastModified": "2026-05-13T16:42:34.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Green", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "type": "Secondary"}]}, "published": "2026-03-11T16:16:22.650", "references": [{"source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "tags": ["Vendor Advisory"], "url": "https://neo4j.com/security/CVE-2026-1497"}], "sourceIdentifier": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.0,5.26.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "calver", "value": "[2025.01,2026.02)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Enterprise Edition", "source": "cna", "vendor": "neo4j"}, "product": "enterprise_edition", "vendor": "neo4j"}], "analysis": {"en": {"generated_at": "2026-03-17T15:30:15.503156+00:00", "value": {"mitigation_remediation": ["Verify that the Neo4j Enterprise Edition version is 2026.02 or later, or 5.26.22 or later.", "If running a vulnerable version, upgrade to a patched release as soon as possible.", "Audit existing privilege grants for unintended access to local databases or aliases matching name suffixes.", "Restrict administrative rights and enforce the principle of least privilege to contain potential exposure."], "summary": {"action": "Assess Impact", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Neo4j Enterprise Edition releases prior to 2026.02 and 5.26.22. Any database instance using these versions that executes grant commands against composite database namespaces is susceptible. The affected component is the namespace resolution logic within the Neo4j composite database framework.", "description_and_impact": "Neo4j Enterprise Edition includes a flaw in composite database handling where namespace resolution is incorrectly processed. When an administrator grants access to a remote database component identified by a fully\u2013qualified name such as \"namespace.name\", the system may instead assign that privilege to any local database or remote alias that shares the suffix \"name\". This misassignment can give a user access to a database or alias that they should not have, constituting a privilege escalation scenario (CWE\u2011863). The impact is a potential loss of confidentiality and integrity for data stored in the incorrectly privileged databases.", "risk_and_exploitability": "The CVSS score is 2, indicating low overall severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to execute a privileged grant command\u2014either directly as a database administrator or by compromising an administrative account. Based on the description, the likely attack vector is an admin\u2010initiated grant operation that inadvertently assigns privileges to an unintended database or alias. This inference is drawn from the necessity of having control over the grant mechanism."}}}}, "created": "2026-03-12T10:05:37.477100+00:00", "updated": "2026-03-20T15:30:53.081877+00:00", "vendors": ["neo4j", "neo4j$PRODUCT$enterprise_edition"]}