2026-05-04
Upgraded Neo4j to 5.26.25
The Neo4j cluster module has been bumped from 5.26.12 to 5.26.25, picking up several patch fixes on the 5.26 LTS line. Both the Helm chart (neo4j, neo4j-admin, neo4j-headless-service) and the Neo4j server image (neo4j:5.26.25-enterprise) move together.
Notable patch highlights between 5.26.13 and 5.26.25
- Security: CVE patches across bundled libraries — Jetty 12.0.33 (CVE-2026-1605), Jackson 2.21.1 (GHSA-72hv-8253-57qq), Apache Shiro 2.1.0 (CVE-2026-23901, CVE-2026-23903), Parquet, lz4 (CVE-2025-66566), Jersey (CVE-2025-12383), Azure SDKs (CVE-2025-53864), and google-cloud-storage (CVE-2025-55163). Cypher hardening for CVE-2025-12738 and CVE-2025-11602. LDAP authentication now rejects 0-length passwords.
- Clustering: Fixes for seed syncing on quorum recovery (5.26.25), a concurrency issue when recreating multiple databases simultaneously (5.26.22), a store-copy bug that pulled the same transactions multiple times (5.26.19), and stricter wait-for-apply on secondaries before stop (5.26.15).
- Backup / neo4j-admin:
neo4j-admin database dump --overwrite-destinationno longer produces corrupt.dumpfiles (5.26.17), and large backups (>8 GB) to cloud object stores no longer fail (5.26.17). The backup tool now deletes the local store-file copy after packaging. - Kernel: ID reuse and store-growth fixes (5.26.25), a relationship-iteration bug under concurrent dense-node transitions (5.26.25), and a fix for IPv6 addresses being misparsed in
server.default_advertised_address(5.26.24). Imports now handle relationships with up to ~2 GiB of property data instead of ~10 MiB (5.26.19). - Cypher: Optimizations to path comparisons (5.26.18) and parallel-runtime queue maintenance (5.26.19), an eager-operator fix for entities returned via Maps/Lists (5.26.19), and async transaction termination so it no longer blocks external connections (5.26.19, 5.26.20).