CVE-2026-25137
Unauthenticated Database Exposure in NixOS Odoo Enables Data Theft
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nixos | odoo | From 21.11 (inc) to 25.11 (exc) |
| nixos | odoo | From 26.05 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the NixOS Odoo package, an open source ERP and CRM system. In versions from 21.11 to before 25.11 and 26.05, the database manager is publicly exposed without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoo's file store. The database manager is intended only for development and not meant to be publicly accessible. Due to NixOS's nature, Odoo cannot persist the auto-generated master password, meaning the database is effectively world readable by anyone who can reach Odoo. This vulnerability is fixed in versions 25.11 and 26.05.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as unauthorized actors can access the database manager without authentication, allowing them to delete or download the entire database and file store. This can lead to data loss, data theft, and potential disruption of business operations relying on Odoo. Since the database is effectively world readable, sensitive business data could be exposed to attackers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching access logs and/or Odoo's logs for HTTP requests to the /web/database endpoint, which indicates attempts to access the database manager without authentication. For example, you can use commands like 'grep "/web/database" /var/log/nginx/access.log' or 'grep "/web/database" /var/log/odoo/odoo.log' to find such requests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Odoo to versions 25.11 or 26.05 where the vulnerability is fixed. Additionally, ensure that the database manager is not publicly exposed, for example by restricting network access or firewalling the relevant ports. Since the master password cannot persist in NixOS setups, avoid exposing the database manager publicly and consider disabling or restricting access to the database manager interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized actors to access and download the entire database, including sensitive data stored in Odoo's file store, without any authentication. Such unauthorized access to personal or sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and health information from unauthorized access and disclosure.