CVE-2026-1524 Overview
CVE-2026-1524 is an authentication bypass vulnerability affecting Neo4j Enterprise edition versions prior to 2026.02. The vulnerability exists in the Single Sign-On (SSO) implementation where an edge case in OIDC provider configuration can lead to unauthorized access when multiple authentication providers are configured with mixed authorization capabilities.
Critical Impact
Under specific multi-provider configurations, authentication-only OIDC providers may inadvertently provide authorization capabilities, potentially granting users elevated privileges they should not possess.
Affected Products
- Neo4j Enterprise edition versions prior to 2026.02
- Neo4j Enterprise edition versions prior to 5.26.22
Discovery Timeline
- 2026-03-11 - CVE-2026-1524 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-1524
Vulnerability Analysis
This vulnerability is classified under CWE-287 (Improper Authentication) and manifests specifically when Neo4j Enterprise is configured with multiple OIDC providers serving different purposes. The security issue arises from a logical flaw in how the SSO implementation handles the separation between authentication and authorization responsibilities across multiple identity providers.
When an administrator configures two or more OIDC providers where at least one is designated as an authorization provider and at least one other is configured for authentication-only purposes, the system fails to properly enforce this separation. As a result, authentication-only providers may inadvertently inherit authorization capabilities, allowing group memberships from these providers to influence user privileges.
This becomes a security concern when the authentication-only provider contains user groups with higher privilege mappings than intended by the authorization provider configuration. Users authenticated through such providers could receive elevated access rights beyond their authorized scope.
Root Cause
The root cause stems from improper handling of the authentication and authorization plugin configuration when multiple OIDC providers are registered. The system logic fails to correctly isolate providers configured solely for authentication from those designated to provide authorization capabilities. This results in authentication-only plugins erroneously providing both authentication and authorization functions.
Attack Vector
The attack vector requires network access and specific configuration conditions to be present. An attacker would need:
- A Neo4j Enterprise instance configured with two or more OIDC providers
- At least one provider configured as an authorization provider
- At least one provider configured as authentication-only
- The authentication-only provider containing groups that map to higher privileges than those available through the intended authorization provider
The attacker would authenticate through the authentication-only OIDC provider that contains higher-privilege group memberships, thereby gaining unauthorized elevated access within the Neo4j database system.
Detection Methods for CVE-2026-1524
Indicators of Compromise
- Unusual privilege escalation events in Neo4j audit logs from users authenticated via OIDC providers configured for authentication-only
- Users accessing resources or performing actions beyond their intended authorization scope
- Discrepancies between expected and actual user permissions when comparing authorization provider group memberships
Detection Strategies
- Review Neo4j security configuration to identify instances using multiple OIDC providers with mixed authentication/authorization roles
- Audit user permission assignments against the intended authorization provider configuration
- Monitor authentication events to identify users leveraging authentication-only providers who exhibit elevated privilege activity
Monitoring Recommendations
- Enable detailed audit logging for all authentication and authorization events in Neo4j
- Implement alerts for privilege elevation patterns associated with authentication-only OIDC provider logins
- Periodically review OIDC provider configurations to ensure proper separation of authentication and authorization responsibilities
How to Mitigate CVE-2026-1524
Immediate Actions Required
- Upgrade Neo4j Enterprise to version 2026.02 or 5.26.22 where the issue is fixed
- Audit current OIDC provider configurations to identify vulnerable setups
- Temporarily consolidate authentication and authorization to a single OIDC provider if immediate upgrade is not possible
- Review user access logs to identify any potential unauthorized access that may have occurred
Patch Information
Neo4j has released security patches addressing this vulnerability. Organizations should upgrade to Neo4j Enterprise version 2026.02 or version 5.26.22 where the SSO implementation properly enforces the separation between authentication-only and authorization-capable OIDC providers. The Neo4j Security Advisory CVE-2026-1524 provides official guidance from the vendor.
Workarounds
- Configure a single OIDC provider for both authentication and authorization until patching is complete
- Remove authentication-only OIDC providers from the configuration temporarily
- Ensure any authentication-only providers do not contain groups with higher privilege mappings than the authorization provider
- Implement additional network segmentation to restrict access to the Neo4j instance while awaiting patching
# Verify Neo4j version before and after upgrade
neo4j version
# Review current OIDC configuration in neo4j.conf
grep -i "dbms.security.oidc" /var/lib/neo4j/conf/neo4j.conf
# Backup configuration before making changes
cp /var/lib/neo4j/conf/neo4j.conf /var/lib/neo4j/conf/neo4j.conf.backup
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
