Neo4j MCP Server — agentic threat model
The Neo4j MCP Server presents a high-risk profile due to its ability to execute arbitrary Cypher queries (including mutations) directly on a graph database. While mitigated by a read-only toggle and basic authentication, it remains highly vulnerable to indirect prompt injection where an LLM is manipulated into executing destructive database commands.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not bundle a specific foundation model; it relies on the calling agent's LLM. Threats include prompt injection leading to malicious Cypher generation (indirect prompt injection).
The server directly queries and mutates a Neo4j graph database. Threats include unauthorized data exfiltration, data poisoning via Cypher write queries, and lack of fine-grained data lineage.
Integrates via the Model Context Protocol (MCP). Insecure tool integration is a major threat, as the calling agent might execute arbitrary Cypher queries without validation, leading to injection attacks.
Deployed as an MCP server connecting via Bolt URI. Threats include exposure of Bolt credentials (username/password) in transit or environment variables, and lack of network sandboxing between the MCP server and the database.
Not certain from the listing — No built-in logging, auditing, or guardrails for Cypher queries are described. Without external observability, malicious or anomalous database mutations may go undetected.
Supports basic username/password authentication and a configurable read-only mode toggle. However, it lacks fine-grained authorization (RBAC) at the MCP layer, relying entirely on Neo4j's native database permissions.
Not certain from the listing — In a multi-agent ecosystem, a compromised agent could abuse this MCP server to exfiltrate graph data or corrupt the database, cascading the compromise to other connected systems.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).