Critical Odoo on NixOS Flaw Exposes Databases

EXECUTIVE SUMMARY:

A critical vulnerability, CVE-2026-25137, with a CVSS score of 9.1, affects Odoo deployments running on NixOS, exposing sensitive database management functionality. The flaw originates from the NixOS immutable configuration model, which prevents Odoo from persistently storing its master password across service restarts. As a result, the database manager can be left unprotected after a reboot or service reload. The issue impacts Odoo packages on NixOS versions 21.11, 22.05, 22.11, 23.05, 23.11, 24.05, 24.11, and 25.05. In this state, unauthenticated remote users can access the /web /database endpoint. This grants administrative-level control over the database manager without valid credentials. An attacker can download full databases and associated file stores. In severe scenarios, production databases can be deleted or manipulated, leading to significant data loss and service disruption.