CVE-2026-1524
Published: 11 March 2026
Summary
CVE-2026-1524 is a low-severity Improper Authentication (CWE-287) vulnerability in Neo4J Neo4J. Its CVSS base score is 2.1 (Low).
Operationally, ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11212
Vulnerability details
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them…
more
to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider. When using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities. We recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session content review can reveal authentication bypasses or failures in session establishment.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Enforces correct authorization checks during the identifier assignment process.
Personnel screening, identity verification, and access-agreement requirements support reliable authentication and reduce authentication bypass opportunities.
Decoy authentication surfaces detect bypass attempts and deflect real credential attacks through observable malicious interactions.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.