CVE-2026-25137
Published: 02 February 2026
Summary
CVE-2026-25137 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).
Deeper analysis
CVE-2026-25137 affects the NixOS Odoo package, an open-source ERP and CRM system, in versions from 21.11 up to but not including 25.11 and 26.05. The vulnerability stems from the public exposure of Odoo's database manager interface without any authentication mechanism. In typical non-NixOS setups, a master password provides a secondary defense, but NixOS's immutable configuration prevents Odoo from modifying its own config file to persist an auto-generated or manually set password. As a result, the password is lost on service restarts, leaving the database manager accessible without credentials. This issue is scored at CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and maps to CWE-306 (Missing Authentication for Critical Function) and CWE-552 (Files or Directories Accessible to External Parties).
Any unauthenticated attacker with network access to the affected NixOS Odoo instance can exploit this by navigating to the /web/database endpoint. Successful exploitation enables full unauthorized read, download, or deletion of the entire database, including Odoo's file store. No privileges, user interaction, or administrative action are required, making it remotely exploitable over the network with low complexity.
NixOS security advisories and patches, detailed in GHSA-cwmq-6wv5-f3px and related nixpkgs pull requests #485310 and #485454, confirm the fix in Odoo package versions 25.11 and 26.05. Administrators should upgrade to these versions immediately. For detection, review access logs and Odoo logs for requests to /web/database, which indicate potential exploitation attempts.
Indicators from HTTP requests to /web/database can reveal prior unauthorized access, though no widespread real-world exploitation has been reported in the available data.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5405
Vulnerability details
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download…
more
the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public /web/database endpoint in exposed Odoo instance directly enables remote exploitation of public-facing application without credentials or user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits permitting critical functions like the unauthenticated database manager without identification and authentication, addressing CWE-306.
Controls and monitors publicly accessible content such as the exposed /web/database endpoint to prevent unauthorized database access.
Prohibits or restricts nonessential development features like the database manager in production environments to enforce least functionality.