Improper Data Query Logic in Apache Camel's Neo4J Component
CVE-2026-46591
What is CVE-2026-46591?
The Apache Camel Neo4J component suffers from a vulnerability that allows for improper neutralization of special elements in data query logic. Specifically, it arises from how the camel-neo4j producer constructs Cypher queries from the CamelNeo4jMatchProperties map. Despite prior measures addressing Cypher injection in property values, vulnerability remains in the property names, which are directly concatenated into query strings. This flaw can lead to an attacker successfully injecting arbitrary Cypher code via manipulated property names, enabling unauthorized access to read, modify, or delete nodes or relationships within the Neo4j database. It is critical for users to upgrade to the latest versions to mitigate this risk and to apply strict validation on input to prevent exploitation.
Affected Version(s)
Apache Camel 4.10.0 < 4.14.8
Apache Camel 4.15.0 < 4.18.3
Apache Camel 4.19.0 < 4.21.0