{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35402", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.074Z", "datePublished": "2026-04-17T20:34:06.510Z", "dateUpdated": "2026-04-20T15:51:06.164Z"}, "containers": {"cna": {"title": "mcp-neo4j-cypher: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9"}, {"name": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0"}], "affected": [{"vendor": "neo4j-contrib", "product": "mcp-neo4j", "versions": [{"version": "< 0.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:34:06.510Z"}, "descriptions": [{"lang": "en", "value": "mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0."}], "source": {"advisory": "GHSA-x3cv-r3g3-fpg9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:50:53.924773Z", "id": "CVE-2026-35402", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:51:06.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:50:53.924773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:51:01.202Z"}}], "cna": {"title": "mcp-neo4j-cypher: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures", "source": {"advisory": "GHSA-x3cv-r3g3-fpg9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "neo4j-contrib", "product": "mcp-neo4j", "versions": [{"status": "affected", "version": "< 0.6.0"}]}], "references": [{"url": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9", "name": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0", "name": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:34:06.510Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35402", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:51:06.164Z", "dateReserved": "2026-04-02T17:03:42.074Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:34:06.510Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode enforcement can be bypassed using APOC CALL procedures, potentially allowing unauthorized write operations or server-side request forgery. This issue is fixed in version 0.6.0."}], "id": "CVE-2026-35402", "lastModified": "2026-04-29T21:04:10.060", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:33.170", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "mcp-neo4j", "source": "cna", "vendor": "neo4j-contrib"}, "product": "mcp-neo4j", "vendor": "neo4j-contrib"}], "analysis": {"en": {"generated_at": "2026-04-18T08:59:18.305941+00:00", "value": {"mitigation_remediation": ["Upgrade the mcp\u2011neo4j\u2011cypher package to version 0.6.0 or later, which removes the read\u2011only bypass.", "Restrict access to the MCP server endpoint or limit the set of users who can execute Cypher queries, thereby reducing the opportunity to invoke the APOC CALL procedures.", "Review and apply firewall rules or network segmentation to isolate the MCP server from untrusted networks, mitigating the SSRF risk if a bypass occurs.", "Monitor Cypher query logs for anomalous APOC CALL activity and review audit trails for unauthorized data modifications."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data modification and SSRF"}, "threat_synthesis": {"affected_systems": "The affected product is the neo4j\u2011contrib mcp\u2011neo4j MCP server, all releases earlier than version 0.6.0.", "description_and_impact": "The vulnerability resides in mcp-neo4j-cypher, an MCP server that executes Cypher queries for Neo4j databases. In versions prior to 0.6.0 the enforcement of read\u2011only mode can be bypassed by issuing APOC CALL procedures, which facilitates unauthorized write operations or server\u2011side request forgery. This reflects an access\u2011control weakness (CWE\u2011284) and enables an attacker to modify database content or force remote requests from the server.", "risk_and_exploitability": "The CVSS score of 2.3 indicates a low severity impact under the current conditions. The EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require access to the MCP server interface, typically through an exposed API or an authenticated user with permissions to execute Cypher queries. Based on the description, it is inferred that the attacker would need to send Cypher queries through the MCP server API, which is often exposed on an internal or public network. While the attack cannot be achieved remotely without such access, the presence of SSRF implies that once the read\u2011only bypass is achieved, the attacker can cause the server to request arbitrary URLs, potentially exfiltrating data or further compromising the network."}}}}, "created": "2026-04-17T21:30:28.226648+00:00", "updated": "2026-04-18T09:00:05.904710+00:00", "vendors": ["neo4j-contrib", "neo4j-contrib$PRODUCT$mcp-neo4j"]}