CVE-2026-25137

Name of the Vulnerable Software and Affected Versions Odoo versions 21.11 through 25.10 Odoo versions 26.05

Description The NixOS Odoo package, an open source ERP and CRM system, exposes the database manager without authentication. This allows unauthorized actors to delete and download the entire database, including Odoo’s file store. Unauthorized access can be identified by examining access logs or Odoo’s logs for requests to the /web/database API endpoint. The database manager is intended for development purposes and should not be publicly reachable. Due to the nature of NixOS, Odoo is unable to persist a master password, even when set manually, meaning the password is lost upon restarting Odoo. When no password is set, any user can set one via the database manager without authentication.

Recommendations Odoo versions 21.11 through 25.10: Upgrade to a version after 25.11 and before 26.05. Odoo version 26.05: Upgrade to a newer version.