CVE-2026-25137 Overview
CVE-2026-25137 is a critical authentication bypass vulnerability affecting the NixOS Odoo package, an open source ERP and CRM system. The vulnerability allows unauthorized actors to access, download, and delete the entire database, including Odoo's file store, without any authentication. This occurs because NixOS-based Odoo deployments publicly expose the database manager interface, which is intended for development purposes only and should never be accessible without authentication.
Critical Impact
Unauthorized actors can access, download, and delete the entire Odoo database including sensitive business data and file stores without any authentication.
Affected Products
- NixOS Odoo package versions 21.11 to before 25.11
- NixOS Odoo package versions before 26.05
Discovery Timeline
- 2026-02-02 - CVE CVE-2026-25137 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-25137
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The database manager in Odoo is a development feature that allows direct manipulation of databases. In standard Odoo deployments, this interface is protected by a master password that acts as a second line of defense. However, due to NixOS's immutable configuration model, Odoo cannot modify its own configuration file to persist an auto-generated password. This architectural limitation means that any password set through the web UI is lost upon Odoo restart, leaving the database manager effectively unprotected.
The vulnerability enables network-based attacks requiring no authentication and no user interaction. An attacker who can reach the Odoo instance can access the database manager at the /web/database endpoint without any credentials. From this interface, they can perform destructive operations including downloading the complete database (leading to confidentiality breach) or deleting it entirely (causing availability impact).
Root Cause
The root cause stems from NixOS's declarative and immutable configuration management approach conflicting with Odoo's expectation of being able to persist configuration changes at runtime. When Odoo auto-generates a master password or when an administrator manually sets one via the web UI, this password cannot be written to the configuration file because NixOS prevents runtime modifications to configuration. Upon service restart, the password is lost, and users are prompted to set a new one directly via the database manager—a prompt that requires no prior authentication.
Attack Vector
The attack vector is network-based, requiring only network connectivity to the exposed Odoo instance. An attacker identifies a NixOS-based Odoo deployment and navigates to the /web/database endpoint. Without any authentication challenge, they gain access to the database manager interface. From there, they can enumerate databases, download complete database backups (including the file store containing uploaded documents), or delete databases entirely. The attack requires no privileges, no user interaction, and has low complexity, making it trivially exploitable by any attacker who can reach the service.
Detection Methods for CVE-2026-25137
Indicators of Compromise
- HTTP requests to /web/database endpoint from unauthorized or unknown IP addresses
- Unusual database backup download operations in Odoo logs
- Database deletion events that were not initiated by authorized administrators
- Access log entries showing repeated requests to database management endpoints
- Unexpected changes in database size or missing database files
Detection Strategies
- Monitor web server access logs for requests to /web/database and related database management endpoints
- Implement network-level monitoring to detect connections to Odoo from unauthorized sources
- Configure alerting on database backup or export operations that occur outside normal business hours
- Review Odoo application logs for database manager activity without corresponding administrator sessions
Monitoring Recommendations
- Enable comprehensive logging for all HTTP requests to the Odoo application
- Implement real-time alerting for database management operations
- Deploy network segmentation to restrict access to Odoo instances from untrusted networks
- Regularly audit access logs for patterns consistent with reconnaissance or exploitation attempts
How to Mitigate CVE-2026-25137
Immediate Actions Required
- Update NixOS Odoo package to version 25.11 or 26.05 immediately
- If immediate patching is not possible, implement network-level restrictions to block external access to the /web/database endpoint
- Review access logs and Odoo logs for evidence of prior exploitation
- Audit database integrity and check for unauthorized access or data exfiltration
- Consider rotating sensitive credentials if unauthorized access is suspected
Patch Information
The vulnerability is fixed in NixOS Odoo package versions 25.11 and 26.05. The fix addresses the configuration persistence issue that prevented the master password from being retained across service restarts. Security patches are available through the following pull requests:
For detailed security information, refer to the GitHub Security Advisory GHSA-cwmq-6wv5-f3px.
Workarounds
- Block access to the /web/database endpoint at the reverse proxy or firewall level
- Implement network segmentation to ensure Odoo is not directly accessible from the public internet
- Configure web application firewall rules to deny requests to database management endpoints
- Use VPN or IP allowlisting to restrict access to Odoo administrative functions
# Example nginx configuration to block database manager access
location /web/database {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
