Neo4j Enterprise Edition SSO Vulnerability Leading to Unauthorized Access

A vulnerability in the Single Sign-On (SSO) implementation of Neo4j Enterprise Edition, in versions prior to 2026.02, can result in unauthorized access. This issue arises when an admin configures multiple OpenID Connect (OIDC) providers, designating some for authentication only and others for authorization. In such cases, the authentication-only providers may inadvertently grant authorization as well. The vulnerability is particularly concerning if the authentication-only provider includes groups with higher privileges than those allowed by the designated authorization provider. This flaw could cause a plugin meant for either authentication or authorization to mistakenly provide both functions.

Impact

Exploitation of this vulnerability could lead to unauthorized access, allowing users to gain privileges they should not have, particularly in scenarios involving multiple OIDC providers or authentication plugins.

Remediation

Users are advised to upgrade to Neo4j Enterprise Edition versions 2026.02 or 5.26.22, where this vulnerability has been addressed.