CVE-2026-25137 – The NixOS Odoo package exposes the database man... (How to Fix)

Q: What is the severity of CVE-2026-25137?

CVE-2026-25137 has a CVSS score of 9.1 (CRITICAL). The NixOS Odoo package exposes the database manager without authentication, allowing unauthorized actors to delete or download the entire database and file store. This affects NixOS-based Odoo setups from versions 21.11 to before 25.11 and 26.05.

📋 TL;DR

The NixOS Odoo package exposes the database manager without authentication, allowing unauthorized actors to delete or download the entire database and file store. This affects NixOS-based Odoo setups from versions 21.11 to before 25.11 and 26.05.

💻 Affected Systems

Products:

NixOS Odoo package

Versions: 21.11 to before 25.11 and 26.05

Operating Systems: NixOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects NixOS deployments due to configuration persistence issues with Odoo's master password.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss and exposure of sensitive business information through database deletion and download.

🟠

Likely Case

Unauthorized access leading to data theft, potential ransomware deployment, or service disruption.

🟢

If Mitigated

Limited impact if database manager is isolated or access controls are implemented.

🌐 Internet-Facing: HIGH - Public exposure allows direct exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP access to the Odoo instance and knowledge of the database manager endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.11 and 26.05

Vendor Advisory: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px

Restart Required: Yes

Instructions:

1. Update NixOS Odoo package to version 25.11 or 26.05. 2. Restart Odoo service. 3. Verify database manager is no longer publicly accessible.

🔧 Temporary Workarounds

Block database manager endpoint

linux

Use firewall or reverse proxy to block access to /web/database endpoint.

iptables -A INPUT -p tcp --dport 8069 -m string --string '/web/database' --algo bm -j DROP

Configure Odoo behind authentication proxy

all

Place Odoo behind a reverse proxy with authentication (e.g., nginx with basic auth).

🧯 If You Can't Patch

Isolate Odoo instance to internal network only.
Implement strict network ACLs to limit access to trusted IPs.

🔍 How to Verify

Check if Vulnerable:

Access http://<odoo-ip>:8069/web/database. If it loads without authentication prompt, system is vulnerable.

Check Version:

nix-env -q | grep odoo

Verify Fix Applied:

After update, attempt to access /web/database endpoint; it should require authentication or be inaccessible.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /web/database in access logs
Database manager access attempts in Odoo logs

Network Indicators:

Unusual outbound database connections
Large data transfers from Odoo port 8069

SIEM Query:

source="odoo.log" AND "/web/database" OR source="web_access.log" AND "/web/database"

📊 Metadata

CVE ID: CVE-2026-25137

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-306

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy