Release Date: 31 March 2026

Release Note for Neo4j 5.26.24 (31 March 2026)

Server

  • Fixed a bug where the last group in an IPv6 address was misinterpreted as a port in the server.default_advertised_address setting.
  • Fixed an issue where large CSV from cloud storage stores could close the underlying SDK client prematurely.
 

Security

  • Upgraded Apache Shiro to 2.1.0 to mitigate CVE-2026-23901 and CVE-2026-23903
    • Apache Shiro versions 1.x and 2.x before 2.0.7 have a timing discrepancy vulnerability allowing brute-force attacks to distinguish between non-existent users and incorrect passwords.
    • Apache Shiro 2.1.0 or later is required to address an authentication bypass vulnerability affecting static files on case-insensitive filesystems.
  • Upgraded Eclipse Jetty to 12.0.33 to resolve CVE-2026-1605
    • Earlier Eclipse Jetty versions have a vulnerability in GzipHandler. This causes a memory leak when a compressed HTTP request is processed without a compressed response.
  • Upgraded Jackson to 2.21.1 to resolve GHSA-72hv-8253-57qq
    • Jackson-core’s async JSON parser in earlier versions bypasses the maxNumberLength constraint, allowing attackers to cause Denial of Service (DoS) attacks through excessive memory allocation.
  Please refer to the changelog for full details of the changes.  

Bundled Packages:

  • labs/apoc-5.26.24
  • lib/neo4j-browser-2026.03.27+0
  • products/bloom-plugin-5.x-2.31.0
  • products/neo4j-genai-plugin-5.26.24
  • products/neo4j-graph-data-science-2.13.8
  • products/neo4j-ops-manager-agent-1.15.0
  • product/fleetManagement-1.1.1

Recent Database Releases

See All Database Releases →