CVE-2026-25137
Unknown Unknown - Not Provided
Unauthenticated Database Exposure in NixOS Odoo Enables Data Theft

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25137
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nixos odoo From 21.11 (inc) to 25.11 (exc)
nixos odoo From 26.05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the NixOS Odoo package, an open source ERP and CRM system. In versions from 21.11 to before 25.11 and 26.05, the database manager is publicly exposed without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoo's file store. The database manager is intended only for development and not meant to be publicly accessible. Due to NixOS's nature, Odoo cannot persist the auto-generated master password, meaning the database is effectively world readable by anyone who can reach Odoo. This vulnerability is fixed in versions 25.11 and 26.05.

Compliance Impact

This vulnerability allows unauthorized actors to access and download the entire database, including sensitive data stored in Odoo's file store, without any authentication. Such unauthorized access to personal or sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and health information from unauthorized access and disclosure.

Impact Analysis

This vulnerability can have severe impacts as unauthorized actors can access the database manager without authentication, allowing them to delete or download the entire database and file store. This can lead to data loss, data theft, and potential disruption of business operations relying on Odoo. Since the database is effectively world readable, sensitive business data could be exposed to attackers.

Detection Guidance

This vulnerability can be detected by searching access logs and/or Odoo's logs for HTTP requests to the /web/database endpoint, which indicates attempts to access the database manager without authentication. For example, you can use commands like 'grep "/web/database" /var/log/nginx/access.log' or 'grep "/web/database" /var/log/odoo/odoo.log' to find such requests.

Mitigation Strategies

Immediate mitigation steps include upgrading Odoo to versions 25.11 or 26.05 where the vulnerability is fixed. Additionally, ensure that the database manager is not publicly exposed, for example by restricting network access or firewalling the relevant ports. Since the master password cannot persist in NixOS setups, avoid exposing the database manager publicly and consider disabling or restricting access to the database manager interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25137. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart