Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical Unauthenticated Database Manager Exposure in Odoo on NixOS, Patch Immediately!

Image
Decorative image
Veröffentlicht : 03/02/2026
  • Last update: 03/02/2026
  • Affected software: NixOS Odoo versions: 21.11, 22.05, 22.11, 23.05, 23.11, 24.05, 24.11, 25.05
  • Type:
    → CWE-306 - Missing Authentication for Critical Function
    → CWE-552 - Files or Directories Accessible to External Parties
  • CVE/CVSS
    → CVE-2026-25137: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

Sources

GitHub - https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px

Risks

This vulnerability in Odoo deployed on NixOS permits unauthenticated access to the database manager, allowing remote attackers to dump or delete the entire ERP database and filestore without valid credentials.

The impact to confidentiality, integrity, and availability is high.

The issue is especially dangerous because no authentication is required. Simply reaching the exposed /web/database endpoint is sufficient to enumerate, download, or delete business‑critical data. Since ERP systems commonly store financial records, customer data, credentials, and operational information, exploitation can result in immediate and severe business impact.

There is currently no evidence that this vulnerability has been exploited in the wild.

Description

The NixOS Odoo Database Manager is a specialized orchestration utility designed to manage Odoo instances and their underlying PostgreSQL databases within the NixOS ecosystem. Unlike standard deployments, it leverages Nix’s declarative configuration and atomic rollbacks to ensure that database migrations, module updates, and environment scaling are reproducible and fail-safe.

It serves as the bridge between Odoo’s application layer and the Nix package manager, providing a stable, immutable foundation for enterprise ERP management.

This weakness allows attackers to carry out the following:

  1. Exposure - The Odoo database manager is unintentionally exposed on NixOS deployments due to packaging and configuration behavior that prevents persistence of the master password.
  2. Unauthenticated access - An attacker who can reach the Odoo web interface can access /web/database without authentication.
  3. Database compromise - The attacker can dump, delete, or manipulate Odoo databases and associated filestore content without any prior access or credentials.
  4. Post‑compromise impact - An attacker can cause complete data loss, steal sensitive business information, disrupt operations, and potentially use recovered data to pivot into connected systems or services.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-25137