Description

Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario:  an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently grant access to any local database or remote alias called "name". If such database or alias doesn't exist when the command is run, the privileges will apply if it's created in the future.

INFO

Published Date :

2026-03-11T15:50:57.651Z

Last Modified :

2026-03-12T16:13:58.620Z

Source :

Neo4j
AFFECTED PRODUCTS

The following products are affected by CVE-2026-1497 vulnerability.

Vendors Products
Neo4j
  • Enterprise Edition
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1497.

URL Resource
https://neo4j.com/security/CVE-2026-1497 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability