Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
The read_only mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures.
Advisories for Pypi/Mcp-Neo4j-Cypher package
2026
2025
Neo4j Cypher MCP server is vulnerable to DNS rebinding
DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.