Cyber Resilience

CVE-2026-25137

Critical

Published: 02 February 2026

Published
02 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.1008 95.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25137 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2026-25137 affects the NixOS Odoo package, an open-source ERP and CRM system, in versions from 21.11 up to but not including 25.11 and 26.05. The vulnerability stems from the public exposure of Odoo's database manager interface without any authentication mechanism. In typical non-NixOS setups, a master password provides a secondary defense, but NixOS's immutable configuration prevents Odoo from modifying its own config file to persist an auto-generated or manually set password. As a result, the password is lost on service restarts, leaving the database manager accessible without credentials. This issue is scored at CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and maps to CWE-306 (Missing Authentication for Critical Function) and CWE-552 (Files or Directories Accessible to External Parties).

Any unauthenticated attacker with network access to the affected NixOS Odoo instance can exploit this by navigating to the /web/database endpoint. Successful exploitation enables full unauthorized read, download, or deletion of the entire database, including Odoo's file store. No privileges, user interaction, or administrative action are required, making it remotely exploitable over the network with low complexity.

NixOS security advisories and patches, detailed in GHSA-cwmq-6wv5-f3px and related nixpkgs pull requests #485310 and #485454, confirm the fix in Odoo package versions 25.11 and 26.05. Administrators should upgrade to these versions immediately. For detection, review access logs and Odoo logs for requests to /web/database, which indicate potential exploitation attempts.

Indicators from HTTP requests to /web/database can reveal prior unauthorized access, though no widespread real-world exploitation has been reported in the available data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download…

more

the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on public /web/database endpoint in exposed Odoo instance directly enables remote exploitation of public-facing application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306
CVE-2025-58083Shared CWE-306
CVE-2025-21515Shared CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits permitting critical functions like the unauthenticated database manager without identification and authentication, addressing CWE-306.

prevent

Controls and monitors publicly accessible content such as the exposed /web/database endpoint to prevent unauthorized database access.

prevent

Prohibits or restricts nonessential development features like the database manager in production environments to enforce least functionality.

References