Impact
The vulnerability permits any party that can reach the Odoo web interface to invoke the database manager without authentication, leading to complete download or deletion of the database and its file store. This flaw arises from missing authentication controls (CWE‑306) and the inadvertent public exposure of sensitive data (CWE‑552), thereby jeopardizing both the confidentiality and integrity of business information and potentially impacting service availability.
Affected Systems
NixOS deployments that use the Odoo package from version 21.11 up through the releases preceding 25.11 and the 26.05 snapshot are affected. These configurations expose the database manager on the default listening port and cannot persist a master password, leaving the database effectively world‑readable until the service is restarted.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.1 and an EPSS score of 10 %, indicating a severe risk and a moderate probability of exploitation. Based on the description, it is inferred that attackers would simply issue an unauthenticated HTTP request to /web/database. Because the system does not enforce authentication or a persistent password, any host with network access to the Odoo instance is a potential target. The flaw is not listed in the CISA KEV catalog. Organizations should treat this as a high‑risk flaw that warrants swift remediation.
OpenCVE Enrichment