Open Source ERP System Exposes Database Manager Without Authentication
CVE-2026-25137

9.1CRITICAL

Key Information:

Vendor

Nixos

Status
Nixpkgs
Vendor
CVE Published:
2 February 2026

What is CVE-2026-25137?

The NixOS Odoo package, an open-source ERP and CRM system, suffers from a severe vulnerability that exposes the database manager without authentication. This configuration flaw enables unauthorized users to access, delete, and download the entire database along with its associated files. Users can identify potential exploitation by examining access logs for requests to the /web/database path. Unlike other setups where a master password provides an additional layer of security, the nature of NixOS prevents Odoo from modifying its configuration file, effectively rendering any manually set master password temporary and lost upon the Odoo restart. As a result, the database manager becomes publicly accessible, allowing any individual with network access to view sensitive data. This critical issue is addressed in the versions 25.11 and 26.05.

Affected Version(s)

nixpkgs >= 21.11, < 25.11

References

https://github.com/NixOS/nixpkgs/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/NixOS/nixpkgs/pull/485310
x_refsource_MISC
https://github.com/NixOS/nixpkgs/pull/485454
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.