CVE-2025-12738 LOW

CVE-2025-12738: Enumeration of restricted property value

Vendor Neo4J
Product Enterprise Edition
Weakness CWE-200 · Info exposure
Published January 22, 2026
Last update January 22, 2026

CVSS base score

1.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/V:D

What the vulnerability does

01Description

Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
January 22, 2026 Record updated