Unredacted data exposure in query.log

Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j.

N/A

通过日志文件的信息暴露

Neo4j Enterprise Edition和Neo4j Community Edition 安全漏洞

Neo4j Enterprise Edition和Neo4j Community Edition都是美国Neo4j公司的一款图数据库。 Neo4j Enterprise和Neo4j Community 2026.01.3之前版本和5.26.21之前版本存在安全漏洞，该漏洞源于查询日志中的错误信息未编辑，可能导致信息泄露。

N/A

N/A