PatchSiren cyber security CVE debrief
CVE-2026-1524 neo4j CVE debrief
CVE-2026-1524 describes an SSO edge case in Neo4j Enterprise edition that can lead to unauthorized access when an administrator configures multiple OIDC providers and mixes authorization-capable and authentication-only providers. In that setup, an authentication-only provider may also be treated as providing authorization. The issue matters only when the authentication-only provider carries groups with higher privileges than the intended authorization provider. Neo4j states the fix is available in 2026.02 and 5.26.22.
- Vendor
- neo4j
- Product
- Enterprise Edition
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-11
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-11
- Advisory updated
- 2026-03-12
Who should care
Neo4j Enterprise administrators and security teams using SSO with multiple OIDC providers, especially environments that separate authentication and authorization across plugins or identity providers.
Technical summary
According to the Neo4j advisory, the defect affects Enterprise edition versions prior to 2026.02. When two or more OIDC providers are configured and at least one is set for authorization while another is set for authentication only, the authentication-only provider can incorrectly provide authorization as well. The NVD record lists the issue as low severity, with network attack vector, high privileges required, and low confidentiality/integrity/availability impact. The stated weakness mappings are CWE-287 and CWE-863.
Defensive priority
Medium for affected Neo4j Enterprise deployments that use multiple OIDC providers or mixed authentication/authorization plugins; lower priority elsewhere because the issue requires specific configuration and elevated administrative context.
Recommended defensive actions
- Upgrade Neo4j Enterprise to 2026.02 or 5.26.22, as recommended by Neo4j.
- Review SSO configurations that use multiple OIDC providers to confirm which providers are intended to handle authentication versus authorization.
- Audit identity-provider group mappings and privilege assignments for any authentication-only provider that could carry higher-privilege groups.
- Validate that authorization decisions are coming from the intended provider after upgrading or reconfiguring.
- Monitor the Neo4j security advisory and NVD record for any updates to affected versions or guidance.
Evidence notes
All material claims are taken from the supplied Neo4j security reference and the NVD CVE record. The CVE was published on 2026-03-11 and modified on 2026-03-12. The source corpus identifies the product as Neo4j Enterprise edition and recommends upgrading to 2026.02 or 5.26.22. The NVD record is still marked "Undergoing Analysis," and the vendor field in the source corpus is low-confidence/needs review, so product attribution should be treated as advisory-backed rather than inferred from the generic vendor metadata.
Official resources
-
CVE-2026-1524 CVE record
CVE.org
-
CVE-2026-1524 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6
Publicly disclosed on 2026-03-11 and updated on 2026-03-12. This debrief uses those CVE dates only for vulnerability timing context, not as evidence of when the underlying issue was introduced or discovered.