Neo4j MCP Server (Cypher) — agentic threat model
The Neo4j MCP Server presents a high-risk profile due to its capability to execute arbitrary Cypher read/write queries and manage Aura instances, effectively delegating complete database access to the calling agent. Without strict credential scoping or query-filtering guardrails, it is highly vulnerable to prompt injection attacks that can lead to data exfiltration or destruction.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not bundle a foundation model, but relies on the calling agent's LLM. Threats include prompt injection leading to malicious Cypher generation.
The core of this tool. It exposes the entire graph database (read/write) and schema. Threats include unauthorized data exfiltration, data poisoning via malicious write queries, and schema manipulation.
Integrates via the Model Context Protocol (MCP). Threats include insecure tool integration where the orchestrating framework fails to validate or restrict the generated Cypher queries before execution.
Not certain from the listing — The server runs as a companion/MCP process. Threats include exposed local ports, insecure storage of database/Aura credentials, and lack of network isolation between the MCP server and the Neo4j instance.
Not certain from the listing — No built-in guardrails, query sanitization, or logging/monitoring are mentioned. Threats include blind spots where malicious Cypher mutations go undetected due to lack of audit logging.
Security is entirely delegated to the database credentials ('bounded only by the connected database credentials'). There is no fine-grained authorization or policy enforcement at the MCP layer.
Designed for MCP-compliant agents. Threats include cascading failures or unauthorized data access if a compromised upstream agent calls this server to manipulate the graph database.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).