Release Date: 2 April 2026

Release Note for Neo4j 2026.03.1 (2 April 2026)

Server

• Attribute-Based Access Control (ABAC) – a new capability that enables users to secure access to data or administrative capabilities with granular, context-aware auth rules. Access is dynamically granted using rules written in Cypher 25 that evaluate real-time attributes from a user’s OpenID Connect (OIDC) SSO token, or environmental factors like date / time. See Operations manual -> Authentication and authorization -> Attribute-based access control.
• Fleet Manager is now built-in and ready by default. Go to https://console.neo4j.io/ to set it up. If you have previously used the Fleet Manager plugin to connect your Neo4j deployment to Fleet Manager, upgrading to this release will no longer need the plugin, and this should be removed after the upgrade. See Aura documentation.
• Fleet Manager from this release supports a collection of aggregate query logs for display in the Aura console. This feature will require the Neo4j deployment to be registered with Fleet Manager, and the db.logs.query.obfuscate_literals=true configuration to be set in order to use the feature. NOTE: This will obfuscate the literals in the local query log files as well.
• Cross-Cluster Database replication is available as a public Early Access Preview. This enables users to continuously replicate a database across separate Neo4j clusters as a read-only copy. On failure of the upstream, the replica can be ‘promoted’ to a write-enabled database. The feature is available in early access preview through a set of procedures – this may change in the future for general availability. For details, see the Operations manual -> Replicating databases across clusters.
•  Added a new setting `db.memory.pagecache.warmup.order` that controls the order in which database files are loaded during page cache warmup. This allows optimization of startup performance by prioritizing critical files. For details, see the Operations manual -> Performance tips.
• Improved replication of transactions in a cluster to ensure a transaction is only written once to the replication log, even when multiple replication attempts are made.
• Fixed an issue where large CSV from cloud storage stores could close the underlying SDK client prematurely

 

Neo4j-admin

• The database copy command now supports using a backup of a standard Neo4j DB using the options: –source-location and –source-format to the neo4j-admin database copy command. This allows creating a sharded database directly from a backup artifact, without needing a stopped database. See Operations Manual -> Resharding a database.
• To improve observability and debugging, each neo4j-admin import process now automatically generates a dedicated context directory within the server/data/imports folder. This isolated directory centralizes all job-specific data, including various logs, detailed progress tracking, and issue reporting. To better support automation and monitoring tools, both progress and issue reports are now formatted in structured JSON. (Note: Using the –report-file option will override this default location). See Operations Manual -> Import -> Import progress reporting.

Security

• Patch jetty to version 12.0.33 to resolve CVE-2026-1605, a vulnerability in the GzipHandler that can cause a memory leak when handling certain compressed HTTP requests. This issue could be exploited to exhaust server memory and trigger a denial-of-service (DoS) condition.
• Added new security configurations to the neo4j.conf configuration file to control how X-Forwarded-Host network headers are used in the database.server.http.x_forward.enabled server.http.x_forward.allow_hosts server.http.x_forward.allow_proxies server.http.x_forward.private_ips_enabledBy default, X-Forwarded-Host headers are accepted by the database and can be used by externally provided capability such as user-defined functions.  If these headers are not needed, it is recommended to disable them by setting the server.http.x_forward.enabled option to false, to improve overall security.  In a future release of Neo4j, X-Forwarded-Host headers will be disabled by default as they are not needed for standard deployments.Additional details are in the documentation: Operations Manual -> Configuration -> Configuration settings

 

Cypher

Cypher 25 additive features

• ACYCLIC path mode now available: When used in a MATCH statement, specifies that a node cannot be traversed more than once in a solution to the graph pattern, avoiding loops. In the current implementation, it cannot be used in conjunction with ANY or SHORTEST. This limitation will be lifted in future releases. See Patterns -> Path modes for details.
• Added real-time progress tracking for LOAD CSV and Cypher-based ingestion jobs in Neo4j using the command SHOW TRANSACTIONS. It allows users to see a set of key metrics for tracking the progress. See Clauses -> SHOW TRANSACTIONS.
• GQL conformance: Cypher now implements the GQL optional function PROPERTY_EXISTS().

 

Bug fix

Server

• Fixed a bug for sharded databases: db.prepareForReplanning respects custom timeout
• neo4j-admin import tool now requires the –delimiter option to be a single-byte UTF-8 character.

Cypher

• Fixed a bug in pipelined runtime where some queries with EXISTS-subqueries planned with SelectOrSemiApply could in special circumstances cause incorrect intermediate result rows to be produced. The circumstances depend on a combination of the structure of the query, the input parameters and the queried data set. The bug did not affect parallel runtime. It could occur in cases where the order of intermediate rows needs to be preserved by SelectOrSemiApply, i.e. when it is planned on the right-hand side of an Apply or the plan relies on indexed-backed order. The symptoms and error messages triggered by the bug could vary. There is a theoretical risk that in the worst case it could potentially have resulted in incorrect data being written to the graph or an incorrect result returned to the client, even though we have seen no such example.
• Dynamic labels: Dynamic lookups now use locking index seeks when required, whereas previously they were vulnerable to constraint violations if used concurrently in a merge context.
• Fixed a regression in Cloud Object Storage Integration (COSI) where the S3/Cloud SDK client was prematurely closed during LOAD CSV operations. This resolves intermittent Neo.DatabaseError.Statement.ExecutionFailed errors (specifically “Unable to get the next chunk of data”) that occurred during long-running imports from S3-backed storage.

  Please refer to the changelog for full details of the changes.  

Bundled products

The following products have been included in the distribution – available in /products directory unless stated otherwise – and are fully compatible with this release.

• APOC Core 2026.03.1 – The most popular community library developed for the database, is fully supported (included in Labs directory).
• Bloom 6.x-2.31.0 – A beautiful and expressive data visualization tool to quickly explore and interact with Neo4j’s graph data platform – no coding required. Please refer to the release notes for details.  (Requires a License)
• Browser 2026.03.23+0  – Neo4j Browser is a tool for developers to interact with the graph. It is the default interface for both Enterprise and Community Editions (included in the /libs directory) of the Neo4j database.
• Neo4j GenAI Plugin 2026.03.1 – Neo4j’s GenAI plugin provides functions and procedures to interact with external AI providers through Cypher, such as for creating vector embeddings and generating text. Added new aggregating text completion functions to the GenAI Plugin, ai.text.aggregateCompletion and ai.text.aggregateStructuredCompletion.
• Neo4j Graph Data Science 2026.03.0 is a compatible version of the connected data analytics and machine learning platform that helps you understand the connections in big data to answer critical questions and improve predictions. Please refer to the release notes for further details. (GDS Enterprise requires a License. )
• Enterprise Fleet Management is no longer bundled with the DBMS package as it is now included in Neo4j.
• Neo4j Ops Manager 1.15.0 is a UI-based tool that enables Administrators to operate and observe all of their Neo4j Database Management Servers. Now includes support for Neo4j’s any-to-any upgrade. Please refer to the release notes for details. (Included in Enterprise).