A vulnerability in Graph Explorer (versions 1.1.0 to 3.0.1), an open-source tool used with Amazon Neptune, can cause the application to silently fall back from HTTPS to unencrypted HTTP when TLS certificates are unavailable. This means sensitive data, potentially including graph database queries and results, may be transmitted in cleartext without any visible warning. The issue is tracked as CVE-2026-10584 and requires an explicit upgrade to version 3.0.1 or later.

Architect’s Take: Audit any Graph Explorer deployments running versions 1.1.0 through 3.0.1 and upgrade to 3.0.1 immediately; additionally, enforce network-level controls (e.g. VPC security groups or WAF rules) to block plain HTTP traffic to Neptune endpoints as a defence-in-depth measure while patching is underway.

Original advisory: CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer