PYSEC-2026-2626

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/mcp-neo4j-cypher/PYSEC-2026-2626.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2626
Aliases
Published
2026-07-13T15:02:49.404540Z
Modified
2026-07-13T16:32:13.343500509Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
Details

Summary

The read_only mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures.

Details

Impact

The enforcing of read_only mode in vulnerable versions could be bypassed by certain APOC procedures.

Patches

v0.6.0 release hardened the checks around the mode. The only way to guarantee the server actions is to limit the permissions of the db credentials available to the server.

Notes

Impacts for server-side request forgery vulnerabilities may depend on both the configuration of the vulnerable system as well as the presence of other systems in the environment that could be accessed as part of exploitation.

Recommended hardening

  • Limit the apoc procedures to what's required
  • Manage data loading privileges
  • Don't relax the default settings without compensating controls
    • apoc.import.file.enabled is false by default
    • apoc.import.file.use_neo4j_config is true by default to restrict file imports to the import folder

Credits

We want to publicly recognise the contribution of Yotam Perkal from Pluto Security.

References

Affected packages

PyPI / mcp-neo4j-cypher

Package

Name
mcp-neo4j-cypher
View open source insights on deps.dev
Purl
pkg:pypi/mcp-neo4j-cypher

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.0

Affected versions

0.*
0.1.1
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/mcp-neo4j-cypher/PYSEC-2026-2626.yaml"