CVE-2026-35402

Description

### Summary The `read_only` mode in `mcp-neo4j-cypher` versions prior to 0.6.0 can be bypassed using `CALL` procedures. ### Details #### Impact The enforcing of `read_only` mode in vulnerable versions could be bypassed by certain APOC procedures. #### Patches v0.6.0 release hardened the checks around the mode. The only way to guarantee the server actions is to limit the permissions of the db credentials available to the server. ### Notes Impacts for server-side request forgery vulnerabilities may depend on both the configuration of the vulnerable system as well as the presence of other systems in the environment that could be accessed as part of exploitation. #### Recommended hardening - Limit the apoc procedures to what's required - [Manage data loading privileges](https://neo4j.com/docs/operations-manual/current/authentication-authorization/load-privileges/ ) - Don't relax the default settings without compensating controls - `apoc.import.file.enabled` is `false` by default - `apoc.import.file.use_neo4j_config` is `true` by default to restrict file imports to the import folder ### Credits We want to publicly recognise the contribution of [Yotam Perkal](https://github.com/yotampe-pluto) from [Pluto Security](https://pluto.security/).

How to fix CVE-2026-35402

To remediate CVE-2026-35402, upgrade the affected package to a fixed version below.

• —upgrade to 0.6.0 or later

Is CVE-2026-35402 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.6.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-35402
• PATCHgithub.com/neo4j-contrib/mcp-neo4j
• WEBgithub.com/neo4j-contrib/mcp-neo4j/releases/tag/mcp-neo4j-cypher-v0.6.0
• WEBgithub.com/neo4j-contrib/mcp-neo4j/security/advisories/GHSA-x3cv-r3g3-fpg9