Neo4j Aura incident

Public role privilege modification impacted for some Business Critical instances

Minor Resolved View vendor source →

Neo4j Aura experienced a minor incident on June 30, 2025 affecting AuraDB Business Critical (*.databases.neo4j.io) on AWS and AuraDB Business Critical (*.databases.neo4j.io) on Azure and 1 more component, lasting 2d 21h. The incident has been resolved; the full update timeline is below.

Started
Jun 30, 2025, 08:40 PM UTC
Resolved
Jul 03, 2025, 06:32 PM UTC
Duration
2d 21h
Detected by Pingoru
Jun 30, 2025, 08:40 PM UTC

Affected components

AuraDB Business Critical (*.databases.neo4j.io) on AWSAuraDB Business Critical (*.databases.neo4j.io) on AzureAuraDB Business Critical (*.databases.neo4j.io) on GCP

Update timeline

  1. identified Jul 01, 2025, 04:38 PM UTC

    We have identified an issue where the PUBLIC role cannot be modified on certain Business Critical instances. The public role is available to all database users, and contains a limited set of privileges outlined in our documentation: https://neo4j.com/docs/operations-manual/current/authentication-authorization/built-in-roles/#access-control-built-in-roles-public

  2. identified Jul 02, 2025, 05:17 AM UTC

    We have identified the issue and a fix is being rolled out

  3. resolved Jul 03, 2025, 06:32 PM UTC

    We have applied a fix and verified this is fully resolved.

  4. postmortem Jul 15, 2025, 02:51 PM UTC

    ## **What happened** On June 27th, the new predefined roles feature\* for AuraDB customers inadvertently removed database Admin access from some Business Critical \(BC\) instances. As a temporary fix, the team disabled the feature for Business Critical instances. While the fix took place, it also replaced the database public RBAC role privileges which are available on Business Critical with enhanced public role privileges available on Free/Pro instances. System logic prevented customers from modifying the public role during that time.\*[https://neo4j.com/docs/aura/user-management/#\_predefined\_roles](https://neo4j.com/docs/aura/user-management/#_predefined_roles) Neo4j restored the public role to its original limited permissions for all Virtual Dedicated Cloud instances on June 30, and for all Business Critical instances on July 1. ## **How customers were affected** Customers were affected by this issue from June 27th to July 1st. The issue impacted some Business-Critical \(BC\) instances and a small number of Virtual Dedicated Cloud \(VDC\) instances. All project admin users with affected instances received an email confirming the issue was resolved on July 1st. ## **What we are doing now** Neo4j remains committed to providing reliable service and is implementing additional safeguards to prevent similar incidents in the future: * We have implemented safeguards in our system to prevent misconfigured role changes and better isolate feature toggles from production permission models * We are reviewing our internal release processes to improve testing and validation of role-based access control \(RBAC\) changes * We are implementing additional detection methods for misconfigured RBAC which will alert our operational teams