MCP Neo4j Server
v1.5.3 (2026-06-11)Neo4j (Official)
Official Neo4j MCP server (neo4j/mcp; neo4j-mcp-server on PyPI, v1.5.3 released 2026-06-11): schema introspection, read-cypher (read-only enforced via EXPLAIN query classification), write-cypher, and GDS procedure listing over stdio. Arbitrary Cypher means read+write access to the graph unless NEO4J_READ_ONLY=true is set. Distinct from the experimental Neo4j Labs servers (mcp-neo4j-cypher, mcp-neo4j-memory), which carry no product support or compatibility guarantees.
Trust Vector Analysis
Dimension Breakdown
๐Performance & Reliability+
Cypher execution capability review
Schema introspection review
Connection stability and compatibility assessment
Error handling review
Large graph handling assessment
๐ก๏ธSecurity+
Authentication mechanism review
Credential security analysis
Injection and prompt-injection exposure analysis
Write-surface assessment; read-only mode is a clean kill-switch but write mode is all-or-nothing, unlike graduated designs such as ClickHouse's two-flag gate
Audit logging review
๐Privacy & Compliance+
Data flow analysis
PII protection assessment
Self-hosting options review
Data sharing analysis
๐๏ธTrust & Transparency+
Documentation completeness review
Source code review; scored down slightly for the conflicting license metadata between the repository and the PyPI package
Product-boundary clarity review; the split is documented but the coexisting Labs servers with overlapping names still cause user confusion
Community engagement analysis
โ๏ธOperational Excellence+
Setup complexity assessment
Performance review of the underlying engine for agent workloads
Feature coverage assessment; deliberately narrow product surface with breadth delegated to experimental Labs servers
Reliability analysis
Community support assessment
- +Official product server maintained by the Neo4j product team (v1.5.3, 2026-06-11), clearly separated from experimental Labs servers
- +read-cypher enforces read-only semantics via EXPLAIN-based query classification rather than string heuristics
- +Global kill-switch: NEO4J_READ_ONLY=true fully disables write-cypher
- +First-class graph schema introspection gives agents accurate label/relationship/property context
- +Works across Aura, Neo4j Desktop, and self-managed instances with graceful adaptive mode
- +GDS procedure discovery enables graph-algorithm-aware agents
- !Arbitrary Cypher means full read+write to the graph by default โ write-cypher is enabled unless NEO4J_READ_ONLY=true is set
- !No graduated write gate: enabling writes also enables destructive deletes (DETACH DELETE, index/constraint drops) within the DB user's privileges
- !Database credentials stored in environment variables or client config; no OAuth flow at the MCP layer
- !Query results and graph structure exposed to the LLM provider with no PII filtering
- !License metadata inconsistent: repo indicates Apache 2.0 while PyPI declares GPL-3.0-only
- !Requires the APOC plugin; overlapping Labs servers (mcp-neo4j-cypher/memory) with similar names invite confusion
- !stdio-only product server; no managed remote endpoint from Neo4j yet
Use Case Ratings
code generation
Good for generating Cypher and graph data models from live schemas
customer support
Useful over customer-360 graphs, but such graphs concentrate PII
content creation
Knowledge-graph-backed content research is a reasonable secondary fit
data analysis
Strong for relationship-centric analysis, fraud rings, and network exploration
research assistant
Knowledge graphs plus GDS discovery suit multi-hop research questions well
legal compliance
Entity-relationship discovery helps investigations; PII exposure needs strict scoping
healthcare
Patient/provider graphs are PII-dense; not advised without read-only mode and scoped users
financial analysis
Well suited to fraud and exposure network analysis with read-only credentials
education
Excellent for teaching graph modeling and Cypher interactively
creative writing
Character/world relationship graphs are a genuinely good niche fit