Critical

Unauthenticated Odoo database manager exposure in NixOS Odoo package (/web/database)

IdentifiersCVE-2026-25137CWE-306· Missing Authentication for…

CVE-2026-25137 is a missing-authentication exposure affecting Odoo deployments installed via the NixOS Odoo package. For NixOS releases 21.11 through versions prior to 25.11 and 26.05, the Odoo database manager endpoint (/web/database) can be publicly reachable without effective authentication because Odoo’s master password (intended to protect database-manager actions) cannot be persisted on NixOS due to immutable/read-only configuration generation. After (re)starts, the master password is lost; when unset, the database manager prompts the next visitor to set it, allowing an unauthenticated remote party to set the master password first and then use the database manager to perform privileged operations. This results in unauthorized access to database management functions, including database download and deletion, and exposure of the Odoo filestore.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Remote, unauthenticated attackers who can reach the Odoo HTTP interface can access the database manager and exfiltrate the entire Odoo database and associated filestore (high confidentiality impact) and/or delete production databases (high availability impact), potentially causing complete data loss and service disruption.

Mitigation

If you can’t patch tonight, do this now.

Disable or restrict the database manager feature and endpoint exposure. Recommended configuration: set services.odoo.settings.options.list_db = false; to disable database listing/manager functionality. Until patched, block or strictly limit access to /web/database at the firewall/reverse-proxy/ACL level (e.g., allow only from admin VPN), and monitor HTTP/access logs and Odoo logs for requests to /web/database and unexpected database management actions. Note that patching does not address prior compromise; investigate if suspicious access is found.

Remediation

Patch, then assume compromise.

Upgrade/apply the NixOS security fixes that address CVE-2026-25137 (fixed in NixOS 25.11 and 26.05; patches referenced for unstable/26.05 and 25.05). After updating, validate that the database manager is not exposed to untrusted networks and that the master password behavior is no longer reset/claimable after restarts.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NixosNixos Odoooperating_system

NixosOdoooperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

security online infoNews

Feb 4, 2026

AI Hub Hijacked: Polymorphic Android RAT Abuses Hugging Face to Steal Data

Unknown (only referenced as a prior/related item title; no technical details provided in the content).

security online infoNews

Feb 4, 2026

CVE-2026-25137: Critical Odoo on NixOS Flaw Exposes Databases

A critical Odoo-on-NixOS misconfiguration/behavioral flaw where Odoo cannot persist its auto-generated database manager master password due to NixOS immutability, leaving the /web/database manager effectively exposed and allowing an attacker to set the master password and gain database-manager administrative control (e.g., download/delete databases).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-25137

NVD

nvd.nist.gov/vuln/detail/CVE-2026-25137

MITRE CWE · CWE-306

Missing Authentication for Critical Function

github.com

github.com/NixOS/nixpkgs/pull/485310

github.com

github.com/NixOS/nixpkgs/pull/485454

github.com

github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px