Improper Data Query Logic in Apache Camel's Neo4J Component
CVE-2026-46591

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46591?

The Apache Camel Neo4J component suffers from a vulnerability that allows for improper neutralization of special elements in data query logic. Specifically, it arises from how the camel-neo4j producer constructs Cypher queries from the CamelNeo4jMatchProperties map. Despite prior measures addressing Cypher injection in property values, vulnerability remains in the property names, which are directly concatenated into query strings. This flaw can lead to an attacker successfully injecting arbitrary Cypher code via manipulated property names, enabling unauthorized access to read, modify, or delete nodes or relationships within the Neo4j database. It is critical for users to upgrade to the latest versions to mitigate this risk and to apply strict validation on input to prevent exploitation.

Affected Version(s)

Apache Camel 4.10.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from Paypal
Andrea Cosentino
.