What happened
Langroid's Neo4jChatAgent passes LLM-generated Cypher queries directly to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. Since query text is influenceable by prompt injection (direct user input or indirect RAG-ingested content), an attacker who can influence the prompt can read or destroy all graph data, and — when APOC or dbms.security procedures are enabled — achieve OS-command and filesystem access on the Neo4j server. Same defect class as the previously-fixed SQLChatAgent prompt-to-SQL-to-RCE issue (CVE-2026-50180) in version 0.63.
Why it matters
This extends a known unsafe-code-generation pattern (prompt-to-query-to-RCE) from SQL to graph databases, meaning any Langroid deployment integrating Neo4j for chat/RAG is exposed to full graph destruction via prompt injection, with a path to host-level RCE depending on Neo4j configuration — a high-severity, widely-applicable agent-framework flaw.
Attack vector
Prompt injection causes LLM to generate malicious Cypher queries passed unvalidated to Neo4j driver, enabling data destruction and, with APOC/dbms.security enabled, OS command execution
Affected systems
Langroid (pip package) Neo4jChatAgent < 0.65.5
Mitigation
Upgrade to Langroid ≥0.65.5; disable APOC/dbms.security procedures on production Neo4j instances used by chat agents