CVE-2026-1524 describes an SSO edge case in Neo4j Enterprise edition that can lead to unauthorized access when an administrator configures multiple OIDC providers and mixes authorization-capable and authentication-only providers. In that setup, an authentication-only provider may also be treated as providing authorization. The issue matters only when the authentication-only provider carries groups with hi [truncated]
CVE-2026-1471 describes an authentication-context handling issue in Neo4j Enterprise edition versions prior to 2026.01.4. In certain non-default SSO configurations that use the UserInfo endpoint, the system can retain excessive authentication context after a restart, which may cause authenticated users to inherit the context of the first user who signs in after that restart. The issue is rated Low severit [truncated]
