CVE-2026-33566 Overview
CVE-2026-33566 is a Cypher injection vulnerability affecting JPCERT LogonTracer prior to version 2.0.0. This NoSQL injection flaw allows attackers to manipulate the underlying Neo4j graph database by crafting malicious Windows event log data. When specially crafted event log data is loaded into LogonTracer, the contents of the database may be altered, potentially compromising the integrity of forensic analysis and security investigations.
Critical Impact
Attackers can exploit this Cypher injection vulnerability to modify database contents when malicious Windows event log data is processed, potentially corrupting forensic evidence and security analysis results.
Affected Products
- JPCERT LogonTracer versions prior to 2.0.0
Discovery Timeline
- April 27, 2026 - CVE-2026-33566 published to NVD
- April 28, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33566
Vulnerability Analysis
This vulnerability is classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), commonly known as NoSQL injection. LogonTracer is a security tool developed by JPCERT/CC that visualizes Windows Active Directory event logs using a Neo4j graph database. The tool parses Windows event log data and constructs Cypher queries to store and analyze logon relationships.
The vulnerability exists because user-controlled data from Windows event log files is not properly sanitized before being incorporated into Cypher queries. When an attacker crafts malicious event log entries containing Cypher injection payloads, these payloads are executed against the Neo4j database, allowing unauthorized modification of stored data.
Root Cause
The root cause of CVE-2026-33566 is improper input validation and sanitization of Windows event log data before constructing Cypher queries. The application fails to neutralize special characters and query syntax elements that could alter the intended query structure. This allows attackers to inject arbitrary Cypher statements that modify, delete, or manipulate database records.
Attack Vector
The attack requires network access and user interaction. An attacker must craft a malicious Windows event log file containing specially formatted entries with embedded Cypher injection payloads. When an administrator or security analyst loads this malicious log file into LogonTracer for analysis, the injection payload executes against the Neo4j database.
The attack scenario typically involves:
- Creating a malicious Windows event log file with crafted entries
- Distributing the log file to a target organization (via phishing, compromised systems, or supply chain)
- Waiting for security personnel to load the log file into LogonTracer
- The injection payload executes, modifying database contents
The vulnerability manifests during the event log parsing and database insertion process. When LogonTracer processes event log entries, field values are incorporated into Cypher queries without adequate sanitization. Malicious payloads embedded in fields such as usernames, computer names, or other logged attributes can break out of the intended query structure and execute arbitrary Cypher commands. For detailed technical information, refer to the JVN advisory.
Detection Methods for CVE-2026-33566
Indicators of Compromise
- Unexpected modifications to Neo4j database records in LogonTracer
- Anomalous Cypher query patterns in Neo4j logs containing injection syntax
- Database integrity inconsistencies when comparing known-good log imports
- Presence of Windows event log files with unusual or malformed field values
Detection Strategies
- Monitor Neo4j query logs for unusual Cypher syntax patterns including MERGE, DELETE, SET, or DETACH DELETE operations not initiated by normal application workflow
- Implement file integrity monitoring on imported Windows event log files
- Review LogonTracer database contents for unexpected nodes or relationships
- Validate Windows event log files before import using signature verification or trusted source validation
Monitoring Recommendations
- Enable verbose logging on the Neo4j database to capture all query activity
- Implement alerting for database modification operations outside of expected import windows
- Deploy network monitoring to detect unusual data flows to/from the LogonTracer instance
- Regularly audit database contents for integrity against known baseline imports
How to Mitigate CVE-2026-33566
Immediate Actions Required
- Upgrade LogonTracer to version 2.0.0 or later immediately
- Audit existing LogonTracer database contents for signs of unauthorized modification
- Restrict access to LogonTracer instances to trusted networks only
- Review all Windows event log files loaded since deployment for suspicious content
Patch Information
JPCERT/CC has released LogonTracer version 2.0.0 which addresses this Cypher injection vulnerability. Users should upgrade to this version or later to remediate CVE-2026-33566. Additional information is available in the JPCERT Press Release and JVN advisory.
Workarounds
- Isolate LogonTracer instances from untrusted networks until patching is complete
- Only load Windows event log files from verified, trusted sources
- Implement network segmentation to limit access to the Neo4j database
- Back up the current database before loading any new event log data to enable recovery if compromise occurs
If immediate patching is not possible, restrict LogonTracer usage to trusted event log sources only and ensure the application is not exposed to untrusted networks. Consider implementing input validation at the network layer to filter potentially malicious log files before they reach the application.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
