CVE-2026-25137 is a critical security vulnerability affecting the Odoo package distributed via NixOS nixpkgs between versions 21.11 and before 25.11 and 26.05. Odoo is an open-source ERP and CRM system that includes a database manager interface intended solely for development environments and protected by a master password in typical deployments. However, due to NixOS's immutable configuration model, Odoo cannot persist the auto-generated master password or any manually set password after a restart. Consequently, the database manager interface is exposed without authentication to any external party able to reach the service endpoint. This exposure allows unauthorized users to perform destructive actions such as deleting the entire database or exfiltrating sensitive data, including the file store. The vulnerability arises from CWE-552 (files or directories accessible to external parties) and CWE-306 (missing authentication for critical function). Exploitation requires no privileges or user interaction and can be detected by analyzing HTTP requests targeting the /web/database path in access logs. The vulnerability has a CVSS v3.1 score of 9.1 (critical), reflecting its high impact on confidentiality and availability with low attack complexity. The issue is resolved in NixOS versions 25.11 and 26.05, where the master password persistence problem is addressed. No known exploits are currently reported in the wild, but the ease of exploitation and severity warrant urgent attention.

For European organizations, this vulnerability poses a severe risk to the confidentiality and availability of critical business data managed by Odoo ERP/CRM systems deployed on NixOS. Unauthorized access to the database manager can lead to complete data exfiltration, including sensitive customer, financial, and operational records, resulting in data breaches and regulatory non-compliance under GDPR. Additionally, attackers can delete databases, causing significant operational disruption and potential financial losses. The lack of authentication means that any external attacker scanning for exposed Odoo instances can exploit this vulnerability without any prior access or user interaction. Organizations relying on NixOS for Odoo deployments, especially in sectors like manufacturing, retail, and services, could face reputational damage and legal consequences. The vulnerability also increases the attack surface for ransomware or data destruction campaigns targeting European enterprises. Given the criticality and ease of exploitation, the threat is substantial and demands immediate remediation.

European organizations should immediately upgrade affected NixOS Odoo packages to versions 25.11 or 26.05 where the vulnerability is fixed. Until upgrades are applied, network-level mitigations must be enforced, such as restricting access to the Odoo database manager interface via firewall rules or VPNs to trusted internal users only. Organizations should audit their NixOS Odoo deployments to identify any publicly exposed /web/database endpoints and block external access. Monitoring and analyzing HTTP access logs for requests to /web/database can help detect exploitation attempts early. Implementing network segmentation to isolate Odoo servers and applying strict access controls will reduce exposure. Additionally, organizations should consider deploying Web Application Firewalls (WAFs) with rules to block unauthorized access to the database manager path. Regular backups of Odoo databases and file stores should be maintained to enable recovery in case of data deletion. Finally, educating system administrators about the unique configuration challenges of NixOS and Odoo password persistence can prevent misconfigurations leading to exposure.