CVE-2026-35402: Improper Access Control in mcp-neo4j-cypher via Stored Procedure Bypass

Vulnerability ID: CVE-2026-35402
CVSS Score: 2.3
Published: 2026-04-17

CVE-2026-35402 is an improper access control vulnerability in the mcp-neo4j-cypher server. The application implements a read-only mode using a regex-based keyword blocklist, which fails to restrict execution of Cypher stored procedures via the CALL keyword. This allows authenticated users or LLM agents to bypass restrictions, potentially leading to unauthorized data modification and Server-Side Request Forgery.

TL;DR

A bypass in mcp-neo4j-cypher's read-only mode allows data modification and SSRF via Cypher stored procedures (CALL) due to an incomplete regex blocklist.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-284
• Attack Vector: Network
• CVSS 4.0 Score: 2.3
• Impact: Unauthorized Data Modification / SSRF
• Exploit Status: Proof of Concept
• CISA KEV: No

Affected Systems

• mcp-neo4j-cypher
• mcp-neo4j-cypher: < 0.6.0 (Fixed in: 0.6.0)

Code Analysis

Commit: 7bf941b

Incomplete fix adding INSERT keyword to blocklist in v0.5.0

Commit: fbf4706

Final fix adding CALL to blocklist and implementing driver-level enforcement in v0.6.0

Mitigation Strategies

• Upgrade mcp-neo4j-cypher to version 0.6.0 or later.
• Implement database-level Role-Based Access Control (RBAC) to enforce read-only permissions.
• Configure procedure blocklisting in Neo4j via dbms.security.procedures.allowlist.

Remediation Steps:

1. Update the Python package dependency for mcp-neo4j-cypher to >=0.6.0.
2. Create a dedicated Neo4j user account specifically for the MCP integration.
3. Assign the new user account a strict read-only role within Neo4j.
4. Review neo4j.conf and explicitly limit the apoc.* procedures available to the system.

References

• GitHub Security Advisory GHSA-x3cv-r3g3-fpg9
• NVD Record for CVE-2026-35402

Read the full report for CVE-2026-35402 on our website for more details including interactive diagrams and full exploit analysis.