Port reference
Port 7687 (TCP) – Neo4j Bolt
Default port for the Neo4j Bolt binary protocol used by drivers and clients.
Default state
Neo4j exposes the Bolt protocol on 7687, often on 0.0.0.0 with the default neo4j/neo4j login until changed. Vulnerable versions are exploitable via deserialization (CVE-2021-34371).
Common attacks
- Login with the default neo4j/neo4j credentials over Bolt
- Remote code execution via deserialization (CVE-2021-34371)
- Cypher injection from exposed application layers
- Data exfiltration of nodes and relationships
Hardening
- Change the default neo4j password immediately; enforce strong credentials
- Bind to localhost or a private interface; never expose 7687 to the internet
- Require TLS for Bolt connections
- Firewall 7687 to application hosts; restrict the HTTP port (7474)
- Keep Neo4j patched (fixes CVE-2021-34371) and audit access
nmap snippet
nmap -p7687 --script banner <target>Replace <target> with the host or range you're authorized to scan.
What runs on port 7687?
Port 7687 is the default for the Neo4j Bolt protocol, the efficient binary interface that official Neo4j drivers use to run Cypher queries against a graph database. Applications connect over 7687 to read and write nodes and relationships; the HTTP API and Browser use 7474.
Why it matters for security
Bolt provides full query access to the graph, which often contains sensitive relationship and identity data. Neo4j ships with the default neo4j/neo4j login, and CVE-2021-34371 is a deserialization flaw reachable over Bolt that can lead to remote code execution. An exposed 7687 therefore risks both data theft and server compromise.
How it's attacked
Attackers scan for open 7687 and try the default neo4j/neo4j credentials to run Cypher and exfiltrate the graph. On vulnerable versions they exploit CVE-2021-34371 deserialization for remote code execution, and Cypher injection through exposed apps can extract or alter data.
Hardening checklist
Change the default neo4j password immediately and enforce strong credentials. Bind Neo4j to localhost or a private interface, require TLS for Bolt, and firewall 7687 to application hosts while restricting the HTTP port 7474. Patch to a version that fixes CVE-2021-34371 and audit access. Use the nmap snippet above to detect exposed instances on hosts you are authorized to test.
Related ports
Frequently asked questions
- What is CVE-2021-34371 in Neo4j Bolt?
- CVE-2021-34371 is a deserialization vulnerability in Neo4j reachable via the Bolt protocol on 7687 that can lead to remote code execution. Patch affected versions, require authentication and TLS, and keep 7687 off untrusted networks.
- How does Bolt (7687) differ from the Neo4j HTTP port (7474)?
- 7687 carries the binary Bolt protocol used by official drivers for high-performance queries, while 7474 serves the HTTP API and Browser UI. Both run Cypher and must be authenticated and firewalled.