FKIE_CVE-2026-25137

Vulnerability from fkie_nvd - Published: 2026-02-02 23:16 - Updated: 2026-02-03 16:44
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Summary
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
References
security-advisories@github.comhttps://github.com/NixOS/nixpkgs/pull/485310
security-advisories@github.comhttps://github.com/NixOS/nixpkgs/pull/485454
security-advisories@github.comhttps://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05."
    },
    {
      "lang": "es",
      "value": "El paquete NixOs Odoo es un sistema ERP y CRM de c\u00f3digo abierto. Desde la versi\u00f3n 21.11 hasta antes de la 25.11 y la 26.05, cada configuraci\u00f3n de Odoo basada en NixOS expone p\u00fablicamente el gestor de la base de datos sin ninguna autenticaci\u00f3n. Esto permite a actores no autorizados eliminar y descargar la base de datos completa, incluyendo el almac\u00e9n de archivos de Odoo. El acceso no autorizado es evidente a partir de las solicitudes HTTP. Si se mantienen, la b\u00fasqueda en los registros de acceso y/o el registro de Odoo de solicitudes a /web/database puede dar indicadores, si esto ha sido explotado activamente. El gestor de la base de datos es una caracter\u00edstica destinada al desarrollo y no est\u00e1 pensado para ser accesible p\u00fablicamente. En otras configuraciones, una contrase\u00f1a maestra act\u00faa como segunda l\u00ednea de defensa. Sin embargo, debido a la naturaleza de NixOS, Odoo no puede modificar su propio archivo de configuraci\u00f3n y, por lo tanto, no puede persistir la contrase\u00f1a autogenerada. Esto tambi\u00e9n se aplica al establecer manualmente una contrase\u00f1a maestra en la interfaz de usuario web (web-UI). Esto significa que la contrase\u00f1a se pierde al reiniciar Odoo. Cuando no se establece ninguna contrase\u00f1a, se le pide al usuario que establezca una directamente a trav\u00e9s del gestor de la base de datos. Esto no requiere autenticaci\u00f3n ni acci\u00f3n por parte de ning\u00fan usuario autorizado o del administrador del sistema. Por lo tanto, la base de datos es efectivamente legible por cualquier persona capaz de alcanzar Odoo. Esta vulnerabilidad est\u00e1 corregida en las versiones 25.11 y 26.05."
    }
  ],
  "id": "CVE-2026-25137",
  "lastModified": "2026-02-03T16:44:03.343",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-02T23:16:09.280",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NixOS/nixpkgs/pull/485310"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NixOS/nixpkgs/pull/485454"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        },
        {
          "lang": "en",
          "value": "CWE-552"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.