CVE-2026-25137Missing Authentication for Critical Function in Nixpkgs

CWE-306Missing Authentication for Critical FunctionCWE-552Files or Directories Accessible to External Parties2 documents2 sources
Severity
9.1CRITICALNVD
EPSS
0.0%
top 89.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nixos NixpkgsDebian Odoo
Timeline
PublishedFeb 2

Description

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database ma

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

debiandebian/odoo
CVEListV5nixos/nixpkgs>= 21.11, < 25.11

📋Vendor Advisories

1
Debian
CVE-2026-25137: odoo - The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to befor...2026