{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T17:08:15.277","vulnerabilities":[{"cve":{"id":"CVE-2026-1524","sourceIdentifier":"3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6","published":"2026-03-11T17:16:54.477","lastModified":"2026-03-12T21:08:22.643","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions:\n\n\nIf a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures one or more of them to be authentication-only, then those that are authentication-only will also provide authorization. This edgecase becomes a security problem only if the authentication-only provider contains groups which have higher privileges than provided by the intended (configured) authorization provider.  \n\nWhen using multiple plugins for authentication and authorisation, prior to the fix the issue could lead to a plugin configured to provide only authentication or authorisation capabilities erroneously providing both capabilities. \n\nWe recommend upgrading to versions 2026.02 (or 5.26.22) where the issue is fixed."},{"lang":"es","value":"Un caso límite en la implementación de SSO en versiones de Neo4j Enterprise edition anteriores a la versión 2026.02 puede llevar a un acceso no autorizado bajo las siguientes condiciones:\n\nSi un administrador de Neo4j configura dos o más proveedores OIDC Y configura uno o más de ellos como proveedor de autorización Y configura uno o más de ellos para ser solo de autenticación, entonces aquellos que son solo de autenticación también proporcionarán autorización. Este caso límite se convierte en un problema de seguridad solo si el proveedor solo de autenticación contiene grupos que tienen privilegios más altos que los proporcionados por el proveedor de autorización previsto (configurado).\n\nAl usar múltiples plugins para autenticación y autorización, antes de la corrección, el problema podría llevar a que un plugin configurado para proporcionar solo capacidades de autenticación o autorización proporcionara erróneamente ambas capacidades.\n\nRecomendamos actualizar a las versiones 2026.02 (o 5.26.22) donde el problema está corregido."}],"metrics":{"cvssMetricV40":[{"source":"3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Green","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"GREEN"}}]},"weaknesses":[{"source":"3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6","type":"Secondary","description":[{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-863"}]}],"references":[{"url":"https://neo4j.com/security/CVE-2026-1524","source":"3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6"}]}}]}