GHSA-x3cv-r3g3-fpg9 (CVE-2026-35402)

Details

Summary

The read_only mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures.

Details

Impact

The enforcing of read_only mode in vulnerable versions could be bypassed by certain APOC procedures.

Patches

v0.6.0 release hardened the checks around the mode. The only way to guarantee the server actions is to limit the permissions of the db credentials available to the server.

Notes

Impacts for server-side request forgery vulnerabilities may depend on both the configuration of the vulnerable system as well as the presence of other systems in the environment that could be accessed as part of exploitation.

Recommended hardening

Limit the apoc procedures to what's required
Manage data loading privileges
Don't relax the default settings without compensating controls
- apoc.import.file.enabled is false by default
- apoc.import.file.use_neo4j_config is true by default to restrict file imports to the import folder

Credits

We want to publicly recognise the contribution of Yotam Perkal from Pluto Security.

Affected Packages

mcp-neo4j-cypher

PyPI

Fixed in:

0.6.0

References

ADVISORY

https://github.com/advisories/GHSA-x3cv-r3g3-fpg9

PACKAGE

https://github.com/neo4j-contrib/mcp-neo4j

WEB

https://github.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0

WEB

https://github.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9