Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database. The CamelNeo4jMatchProperties head
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
This vulnerability represents an incomplete fix to CVE-2025-66169 in Apache Camel's Neo4j component. While the previous vulnerability addressed parameter injection through property values, attackers can now exploit unparameterized property names in Cypher WHERE clause construction. When the camel-neo4j producer builds queries from CamelNeo4jMatchProperties maps, property names are concatenated directly into the query string without sanitization or parameterization. This allows attackers to inject arbitrary Cypher syntax and logic through crafted JSON keys, potentially enabling data exfiltration, unauthorized modifications, or complete database compromise. Organizations using Apache Camel with Neo4j backends—particularly those in financial services, healthcare, and identity management—face immediate risk from both internal and external threat actors.
Casky's security skills leverage Claude's extended reasoning to detect the attack patterns underlying this injection vulnerability by analyzing data flow from untrusted map inputs into query construction logic. While MITRE ATT&CK techniques aren't formally mapped to this CVE, practitioners using Casky would observe findings related to CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) through detection of: unsanitized property name concatenation, absence of parameterized query construction for identifiers, and suspicious Cypher syntax patterns in application logs. Casky's skills would flag scenarios where user-controlled data structures bypass parameterization boundaries, helping practitioners identify whether their Neo4j integrations are vulnerable before exploitation occurs in their environments.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-46591. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation