CVE-2026-25137
published 2026-02-02CVE-2026-25137: The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database…
PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
10.08%
95.1th percentile
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | odoo | — | — |
| nixos | nixpkgs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Search HTTP access logs and/or Odoo application logs for requests to the /web/database path — any such requests from unauthenticated or unexpected sources are indicators of exploitation. ↗
- →Unauthorized access to the Odoo database manager is evident from HTTP requests alone — no authentication challenge is issued, so any external IP reaching /web/database should be treated as suspicious. ↗
- →Focus detection on NixOS-hosted Odoo instances running versions 21.11 up to (but not including) 25.11 or 26.05, as only these are affected. ↗
- ·Due to NixOS's immutable configuration model, Odoo cannot persist its auto-generated master password across restarts, meaning the database manager is effectively unprotected after every restart even if a password was manually set. ↗
- ·When no master password is set, the database manager prompts any visitor to set one — requiring zero authentication or administrator involvement, making the database world-readable. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vendor_debian9.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-02
Published