Langroid CVE-2026-55615 — Prompt-to-Cypher Injection Enables RCE via Neo4j

AI relevance: Langroid is a popular multi-agent LLM framework — this CVE demonstrates that the prompt-to-injection pattern first found in SQL agents repeats identically in graph database agents, expanding the attack surface for any Langroid deployment connected to Neo4j.

What was found

  • CVE-2026-55615 (CVSS 9.5): Langroid's Neo4jChatAgent passes LLM-generated Cypher queries directly to the Neo4j driver with no validation or sanitization.
  • This is a prompt-to-Cypher injection attack — functionally identical to the prompt-to-SQL injection pattern previously disclosed as CVE-2026-25879 in Langroid's SQLChatAgent.
  • An attacker who can influence the LLM's output (via prompt injection in retrieved documents, user input, or tool responses) can coerce the agent into generating malicious Cypher statements.
  • Neo4j supports server-side procedures and OS-level commands in certain configurations — meaning crafted Cypher can escalate to full remote code execution on the database host.
  • The vulnerability is config-conditional: exploitation requires the Langroid agent to be configured with Neo4j connectivity, which is a common deployment pattern for knowledge-graph-based RAG applications.

The pattern repeats

  • CVE-2026-25879 (SQLChatAgent → PostgreSQL COPY FROM PROGRAM) was disclosed in May 2026. The fix sanitized SQL output before execution.
  • CVE-2026-55615 is the same architectural flaw in a different agent — LLM output goes straight to a database query engine without validation. The only difference is the query language.
  • This suggests the underlying pattern — "LLM generates database query, framework executes it blindly" — may exist in other Langroid agents or similar multi-agent frameworks that connect to databases.

Why it matters

Graph databases are increasingly used as the backbone of RAG pipelines for enterprise knowledge management. A prompt-to-Cypher injection in this context means an attacker who can poison a single document in the knowledge base can potentially achieve RCE on the database server — without ever authenticating to Neo4j directly. The attack chain is: poison document → agent retrieves it → LLM generates malicious Cypher → Neo4j executes it → attacker has code execution.

What to do

  • Upgrade Langroid to the latest version with the CVE-2026-55615 fix.
  • If you use Neo4jChatAgent: add query validation and allowlisting before Cypher reaches the Neo4j driver. Block any Cypher containing apoc procedures or CALL statements that invoke OS-level commands.
  • Audit all custom Langroid agents that connect to databases — check whether LLM-generated queries are sanitized before execution.
  • Apply the same defense-in-depth used for SQL injection: least-privilege database accounts, read-only replicas for RAG queries, and network segmentation between agents and database servers.
  • Monitor Neo4j query logs for unusual CALL or apoc invocations that deviate from expected agent behavior.

Sources