Listen to this Post
How the mentioned vulnerability works (around 20 lines):
The `read_only` mode in `mcp-neo4j-cypher` versions before 0.6.0 is designed to prevent write operations, but it can be bypassed using `CALL` procedures – specifically certain APOC (Awesome Procedures on Cypher) library calls. When the server runs in `read_only` mode, the intended restriction applies to standard Cypher write commands like CREATE, MERGE, or DELETE. However, APOC procedures that execute internal database operations do not always respect the `read_only` flag. An attacker with access to the Cypher query interface can invoke procedures such as apoc.import.csv, apoc.export., or `apoc.load.json` that perform writes or modify data. The bypass occurs because the `read_only` enforcement logic prior to v0.6.0 only checked top-level statements, not nested or CALL-based sub-operations. For example, calling `CALL apoc.import.csv(‘file.csv’)` could write nodes and relationships even when `read_only` is enabled. The vulnerability also enables server-side request forgery (SSRF) if procedures like `apoc.load.xml` or `apoc.load.json` are used to fetch remote resources. Successful exploitation allows an attacker to alter database contents, exfiltrate data, or pivot to internal networks. The impact is amplified if the database credentials have broad permissions. The patch in v0.6.0 hardens the `read_only` checks by intercepting and validating all procedure calls before execution. The only guaranteed mitigation is to use database credentials with minimal necessary permissions, as application-layer checks can be bypassed.
dailycve form:
Platform: Neo4j Cypher
Version: Before 0.6.0
Vulnerability : Read-only bypass
Severity: Medium
date: 2026-04-17
Prediction: Already patched
What Undercode Say:
Check current mcp-neo4j-cypher version
pip show mcp-neo4j-cypher | grep Version
Test read_only bypass (PoC)
cypher-shell -u neo4j -p password "CALL apoc.import.csv('import/data.csv', {nodes:['Node']})"
Monitor for suspicious APOC calls
grep -E "CALL (apoc.|dbms.)" /var/log/neo4j/query.log
List enabled APOC procedures
cypher-shell "CALL apoc.procedures() YIELD name RETURN name"
how Exploit:
Send `CALL apoc.cypher.runFile(‘file:///write_script.cypher’)` while read_only=true. Use `apoc.load.json(‘http://internal-server/admin’)` for SSRF. Chain with `apoc.export.csv.query(‘MATCH (n) RETURN n’, ‘export.csv’)` to exfiltrate data.
Protection from this CVE
Upgrade to v0.6.0+. Set apoc.import.file.enabled=false. Restrict DB credentials to read-only user. Disable unused APOC procedures via `apoc.conf` using apoc.<procedure>.enabled=false. Enable `apoc.import.file.use_neo4j_config=true` to limit imports to `import` folder.
Impact:
Full database compromise via write bypass, data theft via export procedures, internal network scanning via SSRF, and potential remote code execution if file import procedures allow arbitrary path writes.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

