Do Son 
A critical vulnerability has been discovered in Odoo deployments running on NixOS. The vulnerability, tracked as CVE-2026-25137 (CVSS 9.1), leaves the database manager—and by extension, the entire organization’s data—wide open to the public Internet.
The issue stems not from a code error in Odoo itself, but from a conflict between Odoo’s security model and the core philosophy of NixOS: immutability.
Odoo, a popular open-source ERP suite, relies on a “master password” to secure its database manager. Typically, when Odoo is installed, it auto-generates this password and saves it to a configuration file. This password acts as the gatekeeper, preventing unauthorized users from creating, deleting, or downloading databases.
However, NixOS is designed to be purely functional and immutable. Configuration files are generated from the Nix store and are generally read-only for the running application.
According to the security advisory:
“However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password… This means, the password is lost when restarting Odoo.”
Because the password cannot be saved, every time Odoo restarts on a NixOS system, it reverts to an insecure state. If no master password is set, Odoo prompts the next user who visits the page to set one.
This creates a race condition where an attacker simply needs to navigate to the database manager interface to take full administrative control. From there, the consequences are catastrophic:
- Total Data Exfiltration: Attackers can download the entire database and Odoo file store.
- Destruction: Unauthorized actors can delete production databases instantly.
The report serves a stark warning for administrators: “Thus, the database is effectively world readable by anyone able to reach Odoo.”
Administrators running Odoo on NixOS are urged to check their access logs immediately. The report notes that unauthorized access attempts will leave a digital footprint:
- Look for HTTP requests targeting
/web/database. - Check Odoo’s internal logs for unexpected database management activities.
The intuitive fix—logging into the web UI and setting a master password manually—is a trap. Because of the immutability issue, this password will vanish upon the next service restart, reopening the vulnerability.
The maintainers recommend completely disabling the database manager feature in the NixOS configuration, as it is intended primarily for development environments.
Configuration Change:
services.odoo.settings.options.list_db = false;
Patches have been released for NixOS unstable/26.05 (Patch #485310) and NixOS 25.05 (Patch #485454). Until these patches can be applied or the configuration changed, network administrators are advised to block all traffic to /web/database at the firewall level.
Related Posts:
- New ‘False File Immutability’ Vulnerability Poses Significant Threat to Windows Security
- Critical Flaw in NixOS Package Manager: CVE-2024-45593 Allows Arbitrary File Write with Root Permissions
- Intel successfully fixed CPU flaws for 4th- and 5th-gen chips, no loger randomly restart
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
