Langroid CVE-2026-55615 — Prompt-to-Cypher Injection Enables RCE via Neo4j
AI relevance: Langroid is a popular multi-agent LLM framework — this CVE demonstrates that the prompt-to-injection pattern first found in SQL agents repeats identically in graph database agents, expanding the attack surface for any Langroid deployment connected to Neo4j.
What was found
- CVE-2026-55615 (CVSS 9.5): Langroid's
Neo4jChatAgentpasses LLM-generated Cypher queries directly to the Neo4j driver with no validation or sanitization. - This is a prompt-to-Cypher injection attack — functionally identical to the prompt-to-SQL injection pattern previously disclosed as CVE-2026-25879 in Langroid's
SQLChatAgent. - An attacker who can influence the LLM's output (via prompt injection in retrieved documents, user input, or tool responses) can coerce the agent into generating malicious Cypher statements.
- Neo4j supports server-side procedures and OS-level commands in certain configurations — meaning crafted Cypher can escalate to full remote code execution on the database host.
- The vulnerability is config-conditional: exploitation requires the Langroid agent to be configured with Neo4j connectivity, which is a common deployment pattern for knowledge-graph-based RAG applications.
The pattern repeats
- CVE-2026-25879 (SQLChatAgent → PostgreSQL
COPY FROM PROGRAM) was disclosed in May 2026. The fix sanitized SQL output before execution. - CVE-2026-55615 is the same architectural flaw in a different agent — LLM output goes straight to a database query engine without validation. The only difference is the query language.
- This suggests the underlying pattern — "LLM generates database query, framework executes it blindly" — may exist in other Langroid agents or similar multi-agent frameworks that connect to databases.
Why it matters
Graph databases are increasingly used as the backbone of RAG pipelines for enterprise knowledge management. A prompt-to-Cypher injection in this context means an attacker who can poison a single document in the knowledge base can potentially achieve RCE on the database server — without ever authenticating to Neo4j directly. The attack chain is: poison document → agent retrieves it → LLM generates malicious Cypher → Neo4j executes it → attacker has code execution.
What to do
- Upgrade Langroid to the latest version with the CVE-2026-55615 fix.
- If you use
Neo4jChatAgent: add query validation and allowlisting before Cypher reaches the Neo4j driver. Block any Cypher containingapocprocedures orCALLstatements that invoke OS-level commands. - Audit all custom Langroid agents that connect to databases — check whether LLM-generated queries are sanitized before execution.
- Apply the same defense-in-depth used for SQL injection: least-privilege database accounts, read-only replicas for RAG queries, and network segmentation between agents and database servers.
- Monitor Neo4j query logs for unusual
CALLorapocinvocations that deviate from expected agent behavior.