GHSA-X3CV-R3G3-FPG9

Vulnerability from github – Published: 2026-04-17 21:30 – Updated: 2026-04-17 21:30
VLAI?
Summary
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
Details

Summary

The read_only mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures.

Details

Impact

The enforcing of read_only mode in vulnerable versions could be bypassed by certain APOC procedures.

Patches

v0.6.0 release hardened the checks around the mode. The only way to guarantee the server actions is to limit the permissions of the db credentials available to the server.

Notes

Impacts for server-side request forgery vulnerabilities may depend on both the configuration of the vulnerable system as well as the presence of other systems in the environment that could be accessed as part of exploitation.

Recommended hardening

  • Limit the apoc procedures to what's required
  • Manage data loading privileges
  • Don't relax the default settings without compensating controls
    • apoc.import.file.enabled is false by default
    • apoc.import.file.use_neo4j_config is true by default to restrict file imports to the import folder

Credits

We want to publicly recognise the contribution of Yotam Perkal from Pluto Security.

Severity ?
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mcp-neo4j-cypher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T21:30:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nThe `read_only` mode in `mcp-neo4j-cypher` versions prior to 0.6.0 can be bypassed using `CALL` procedures. \n### Details\n\n#### Impact\nThe enforcing of `read_only` mode in vulnerable versions could be bypassed by certain APOC procedures.\n\n#### Patches\nv0.6.0 release hardened the checks around the mode. The only way to guarantee the server actions is to limit the permissions of the db credentials available to the server.\n\n### Notes\nImpacts for server-side request forgery vulnerabilities may depend on both the configuration of the vulnerable system as well as the presence of other systems in the environment that could be accessed as part of exploitation.\n#### Recommended hardening\n\n- Limit the apoc procedures to what\u0027s required\n- [Manage data loading privileges](https://neo4j.com/docs/operations-manual/current/authentication-authorization/load-privileges/ )\n- Don\u0027t relax the default settings without compensating controls\n    - `apoc.import.file.enabled` is `false` by default\n    - `apoc.import.file.use_neo4j_config` is `true` by default to restrict file imports to the import folder\n\n### Credits\nWe want to publicly recognise the contribution of [Yotam Perkal](https://github.com/yotampe-pluto) from [Pluto Security](https://pluto.security/).",
  "id": "GHSA-x3cv-r3g3-fpg9",
  "modified": "2026-04-17T21:30:50Z",
  "published": "2026-04-17T21:30:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.