mcp-neo4j-cypher Read-Only Mode Bypass via Stored Procedures (CVE-2026-35402)
AI relevance: The mcp-neo4j-cypher server connects LLM agents directly to Neo4j graph databases, so a read-only bypass means any agent relying on that mode can silently mutate data or trigger SSRF through stored procedures.
What happened
- CVE-2026-35402 is an improper access control vulnerability in the mcp-neo4j-cypher MCP server, published April 17, 2026.
- The server's read-only mode uses a regex-based keyword blocklist to filter Cypher queries — a fragile defense that fails against
CALLstored procedure invocations. - Authenticated users and LLM agents can bypass read-only restrictions by wrapping write operations inside stored procedures, effectively modifying data despite the "read-only" label.
- The bypass also enables SSRF vectors, since stored procedures can initiate network calls from within the Neo4j database engine.
- Regex blocklists for query sanitization are a known anti-pattern; Neo4j's own security guidance recommends role-based access control and parameterized queries instead.
- The MCP server pattern — spawning graph DB access as a subprocess with string-based input filtering — mirrors the broader MCP STDIO command-injection problem OX Security documented across the ecosystem in April 2026.
Why it matters
Graph databases are increasingly used as knowledge stores for RAG pipelines and agent memory systems. An LLM agent with "read-only" Neo4j access should not be able to modify nodes, create relationships, or trigger server-side stored procedures that reach external services. This CVE demonstrates that string-filtering approaches to MCP server input validation are insufficient when the underlying protocol (Cypher) has powerful procedure-calling primitives.
What to do
- If you run mcp-neo4j-cypher, update to the patched version immediately.
- Do not rely on regex keyword blocklists for MCP server input validation — use database-level role-based access control with separate read-only credentials.
- Audit your Neo4j instance for stored procedures that could be abused as SSRF vectors (e.g.,
apoc.load.*). - For any MCP server that wraps a database or external system, implement allowlist-based tool definitions rather than blocklist-based input filtering.