A critical vulnerability exists in the NixOS package for the Odoo ERP and CRM system. This flaw exposes the database management interface to the public internet without any password protection, allowing an unauthenticated attacker to download or delete the entire business database, including all sensitive customer data and files. This could lead to a catastrophic data breach and complete disruption of business operations.

The vulnerability is an authentication bypass caused by a configuration issue specific to how Odoo is packaged on NixOS. The Odoo database manager, a powerful tool intended for development, is publicly exposed. On other operating systems, this interface is protected by a master password; however, due to the immutable nature of NixOS, Odoo is unable to save the auto-generated or manually set master password. Consequently, every time the Odoo service restarts, the password is lost, leaving the database manager completely unprotected. An unauthenticated attacker can simply navigate to the /web/database endpoint and gain full administrative control over the Odoo databases, allowing them to download, delete, or create backups of all data.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation would have a catastrophic impact on the business. An attacker could exfiltrate the entire database, leading to a massive data breach of sensitive information, including customer data, financial records, and proprietary business information. Furthermore, an attacker could delete the database, causing a complete and immediate loss of service and data, leading to severe operational disruption. The potential consequences include significant financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines for data protection violations.

Immediate Action: Update The NixOs Odoo package is an open source ERP and CRM Multiple Products to the latest version. Specifically, organizations must upgrade to version 25.11, 26.05, or a later patched release that corrects the password persistence issue. After updating, administrators should verify that the database manager is no longer publicly accessible or is properly secured with a persistent master password.

Proactive Monitoring: Actively monitor web server access logs and Odoo application logs for any historical or current requests to the /web/database endpoint. System administrators should configure alerts for any access attempts to this path from untrusted IP addresses. Evidence of such requests should trigger an immediate incident response investigation to determine if a data breach has occurred.

Compensating Controls: If immediate patching is not feasible, implement a compensating control by using a reverse proxy or Web Application Firewall (WAF). Configure the device to explicitly block all external access to the /web/database URL path. Additionally, restrict network access to the Odoo instance via firewall rules, allowing connections only from trusted IP ranges.

Public Exploit Available: False

Given the critical CVSS score of 9.1 and the trivial nature of exploitation, this vulnerability poses a severe and immediate threat to any organization using an affected version of the NixOS Odoo package. We strongly recommend that organizations prioritize the immediate application of the security patches provided by the vendor. Although this CVE is not currently on the CISA KEV list, the high potential for a complete data breach and service disruption requires urgent attention. All affected systems should be patched and thoroughly audited for any signs of past compromise.