GHSA-wrr4-782v-jhwh: neotoma has tenant isolation gap in relationship query endpoints

June 25, 2026

The /list_relationships and /retrieve_graph_neighborhood endpoints call getAuthenticatedUserId (confirming a valid session exists) but do not pass the resolved user ID into the Supabase query as an .eq("user_id", userId) filter. As a result, queries return rows from all users rather than scoping to the authenticated caller’s data.

References

github.com/advisories/GHSA-wrr4-782v-jhwh
github.com/markmhendrickson/neotoma/issues/365
github.com/markmhendrickson/neotoma/issues/366
github.com/markmhendrickson/neotoma/issues/372
github.com/markmhendrickson/neotoma/security/advisories/GHSA-wrr4-782v-jhwh

Code Behaviors & Features

Detect and mitigate GHSA-wrr4-782v-jhwh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →