Description
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Published: 2026-02-02
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access, deletion, and exfiltration of database data
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows any party that can reach the Odoo web interface to invoke the database manager without authentication, enabling download or deletion of the entire database and attached file store. The flaw stems from missing authentication (CWE‑306) and the inadvertent public exposure of sensitive data (CWE‑552). Consequently an attacker can erase critical business information or exfiltrate confidential records, affecting both integrity and confidentiality of the system.

Affected Systems

NixOS deployments that use the Odoo package from version 21.11 up through the releases preceding 25.11 and the 26.05 snapshot are impacted. These configurations expose the database manager on the default listening port and cannot persist a master password, leaving the database effectively world‑readable until the service is restarted.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1 and an EPSS score of less than 1 %, indicating a severe risk but a currently low probability of exploitation. It is not listed in the CISA KEV catalog. Attackers would simply issue an unauthenticated HTTP request to /web/database, a path that can be detected in web or Odoo logs. Because the system does not enforce authentication or a persistent password, any host with network access to the Odoo instance is a potential target. Organizations should treat this as a high‑risk flaw that warrants swift remediation.

Generated by OpenCVE AI on April 18, 2026 at 00:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NixOS Odoo package to version 25.11 or 26.05 where the database manager’s public exposure is removed.
  • Restrict inbound traffic to the Odoo instance, blocking or limiting access to the /web/database endpoint via firewall rules or reverse‑proxy configuration.
  • Configure and persist a master password for the database manager—if unsupported, enforce access restrictions externally until persistence can be achieved.
  • Monitor web and Odoo logs for accesses to /web/database as an indicator of potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 00:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Nixos
Nixos odoo
Vendors & Products Nixos
Nixos odoo

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Title NixOs Odoo database and filestore publicly accessible with default odoo configuration
Weaknesses CWE-306
CWE-552
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Nixos Odoo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:53:13.344Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25137

cve-icon Vulnrichment

Updated: 2026-02-04T15:55:18.475Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T23:16:09.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses