Vulnerability  ·  2026-07-11

Langroid Neo4jChatAgent — Unvalidated LLM-Generated Cypher Enables Graph Data Destruction and Potential RCE (CVSS 9.2)

VulnerabilityHigh impactGlobalCVE-2026-55615
Langroid's Neo4jChatAgent passes LLM-generated Cypher queries directly to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. Since query text is influenceable by prompt injection (direct user input or indirect RAG-ingested content), an attacker who can influence the prompt can read or destroy all graph data, and — when APOC or dbms.security procedures are enabled — achieve OS-command and filesystem access on the Neo4j server. Same defect class as the previously-fixed SQLChatAgent prompt-to-SQL-to-RCE issue (CVE-2026-50180) in version 0.63.
This extends a known unsafe-code-generation pattern (prompt-to-query-to-RCE) from SQL to graph databases, meaning any Langroid deployment integrating Neo4j for chat/RAG is exposed to full graph destruction via prompt injection, with a path to host-level RCE depending on Neo4j configuration — a high-severity, widely-applicable agent-framework flaw.
Prompt injection causes LLM to generate malicious Cypher queries passed unvalidated to Neo4j driver, enabling data destruction and, with APOC/dbms.security enabled, OS command execution
Langroid (pip package) Neo4jChatAgent < 0.65.5
Upgrade to Langroid ≥0.65.5; disable APOC/dbms.security procedures on production Neo4j instances used by chat agents
TenableMallory.ai
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →