CVE-2026-55615: Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection (direct user input or indirect content the agent reads back via RAG), so an attacker who can influence the prompt can read or destroy all graph data and, when APOC or dbms.security procedures are enabled on the server, achieve OS-command and filesystem access. This is the same defect class and threat model as the SQLChatAgent prompt-to-SQL-to-RCE issue fixed in version 0.63.0 (CVE-2026-25879); that fix did not extend to the neo4j module. Version 0.65.5 contains a fix for the neo4j module.
Security readout for executives and security teams
Plain-English summary
Langroid applications using Neo4jChatAgent before 0.65.5 may let attacker-influenced prompts become database queries. That can expose or destroy graph data. In higher-risk Neo4j configurations with APOC or dbms.security procedures enabled, the advisory says filesystem or OS-command access may be possible.
Executive priority
Treat this as urgent for any Langroid system connected to Neo4j. Prioritize externally reachable chat, agent, or RAG applications because normal user input may be enough to influence database operations.
Technical view
Neo4jChatAgent executed LLM-generated Cypher through the Neo4j driver without validation, a statement-type allowlist, or an opt-out gate. Prompt injection through user input or retrieved content could influence Cypher execution. The issue affects langroid versions before 0.65.5 and is fixed in 0.65.5.
Likely exposure
Exposure is likely limited to Langroid deployments using Neo4jChatAgent with attacker-influenceable prompts or RAG content. Impact increases when the Neo4j account is highly privileged or server-side APOC/dbms.security procedures are enabled.
Exploitation context
No provided source reports active exploitation, and KEV is false. The threat model is prompt-to-Cypher injection: attacker-controlled or indirect prompt content changes generated Cypher that the agent executes without validation.
Researcher notes
The public bundle attributes the flaw to missing Cypher validation in Neo4jChatAgent and compares it to the earlier SQLChatAgent issue. Sources identify the affected range and fixed version, but do not provide independent exploitation evidence.
Mitigation direction
Upgrade langroid to version 0.65.5 or later.
Pause or restrict Neo4jChatAgent use until upgraded.
Run Neo4j with least-privilege credentials for Langroid integrations.
Disable or tightly restrict risky Neo4j APOC and dbms.security procedures.
Check vendor guidance before applying compensating controls not documented in sources.
Validation and detection
Inventory applications and lockfiles for langroid versions below 0.65.5.
Identify code paths using Neo4jChatAgent or Neo4j-backed RAG workflows.
Verify deployed environments actually run the upgraded dependency.
Review Neo4j privileges granted to the Langroid application account.
Inspect Neo4j logs for unexpected writes, deletes, or procedure calls.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-74: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-74 · source CWE mapping
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.