Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1337

CVE-2026-1337: Neo4j Query Log XSS Vulnerability

CVE-2026-1337 is a cross-site scripting flaw in Neo4j Enterprise and Community editions affecting query logs when viewed as HTML. This post explains its impact, affected versions prior to 2026.01, and mitigation steps.

Published:

CVE-2026-1337 Overview

CVE-2026-1337 is a log injection vulnerability affecting Neo4j Enterprise and Community editions prior to version 2026.01. The vulnerability stems from insufficient escaping of unicode characters in the query log functionality. When users open these logs in a tool that interprets them as HTML, the vulnerability could enable Cross-Site Scripting (XSS) attacks.

Critical Impact

While Neo4j states there is no direct security impact on Neo4j products themselves, this vulnerability poses a secondary risk if query logs are viewed in HTML-capable log viewers, potentially leading to XSS execution in the context of those viewing tools.

Affected Products

  • Neo4j Enterprise editions prior to 2026.01
  • Neo4j Community editions prior to 2026.01

Discovery Timeline

  • 2026-02-06 - CVE CVE-2026-1337 published to NVD
  • 2026-02-06 - Last updated in NVD database

Technical Details for CVE-2026-1337

Vulnerability Analysis

This vulnerability is classified under CWE-117 (Improper Output Neutralization for Logs), which describes the failure to properly neutralize or incorrectly neutralize output that is written to logs. In this case, Neo4j's query logging mechanism does not adequately escape unicode characters before writing them to log files.

The attack requires user interaction—specifically, a victim must open the affected log files using a tool that renders content as HTML rather than plain text. This indirect attack vector limits the exploitability but still presents a risk in environments where administrators routinely review query logs using web-based log management interfaces or browsers.

Root Cause

The root cause is insufficient input sanitization in Neo4j's query logging functionality. When queries containing specially crafted unicode characters are executed, these characters are written to log files without proper escaping. If these logs are subsequently viewed in an HTML context, the unicode sequences can be interpreted as executable script content.

Attack Vector

The attack requires network access to submit malicious queries to the Neo4j database. An attacker with at least low-level privileges can craft queries containing malicious unicode sequences. When these queries are logged and later viewed by an administrator using an HTML-aware log viewer, the injected content executes in the context of the viewing application.

The exploitation chain involves:

  1. Attacker submits a crafted Cypher query containing malicious unicode characters
  2. Neo4j logs the query without proper escaping
  3. Administrator opens the log file in an HTML-rendering viewer (browser, web-based log tool)
  4. Malicious script executes in the context of the log viewer

A proof of concept demonstrating this vulnerability is available at the GitHub PoC Repository.

Detection Methods for CVE-2026-1337

Indicators of Compromise

  • Unusual unicode sequences or HTML-like tags appearing in Neo4j query logs
  • Queries containing embedded script tags or event handlers encoded as unicode
  • Unexpected characters or encoding patterns in logged Cypher queries

Detection Strategies

  • Review Neo4j query logs for suspicious unicode character sequences that may decode to HTML or JavaScript
  • Monitor for queries containing common XSS payload patterns in various unicode encodings
  • Implement log analysis rules to detect potential injection attempts in query submissions

Monitoring Recommendations

  • Configure log viewers to render Neo4j query logs as plain text only, not HTML
  • Implement alerting for anomalous query patterns that include excessive unicode or escape sequences
  • Audit access to query log files and the tools used to view them

How to Mitigate CVE-2026-1337

Immediate Actions Required

  • Upgrade Neo4j Enterprise and Community editions to version 2026.01 or later
  • Configure all log viewing tools to treat Neo4j query logs as plain text, not HTML
  • Review existing query logs for potential injection attempts before viewing in any HTML-capable tool

Patch Information

Neo4j has addressed this vulnerability in version 2026.01 for both Enterprise and Community editions. The patch implements proper escaping of unicode characters before they are written to query logs, preventing the injection of HTML-interpretable content.

Organizations should update to the latest version of Neo4j as soon as possible. For detailed technical information about the vulnerability, refer to the GitHub PoC Repository.

Workarounds

  • Configure log viewing applications to explicitly render content as plain text rather than HTML
  • Use command-line tools like cat, less, or tail to view query logs instead of web-based viewers
  • Implement access controls to restrict who can view query logs to reduce the potential attack surface
bash
# Configuration example
# View Neo4j query logs safely using plain text viewers
tail -f /var/log/neo4j/query.log

# Or use less with explicit text mode
less -r /var/log/neo4j/query.log

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne