CVE-2026-25137 is a critical security vulnerability in the NixOS nixpkgs distribution affecting the Odoo ERP/CRM package versions from 21.11 up to but not including 25.11 and 26.05. The core issue arises because the Odoo database manager interface, which is intended only for development use, is exposed publicly without any authentication mechanism. Normally, Odoo uses a master password as a second line of defense; however, due to the immutable nature of NixOS configurations, Odoo cannot persist the auto-generated master password or any manually set password across restarts. Consequently, after each restart, the database manager is left unprotected and accessible to anyone able to reach the Odoo service endpoint. This allows unauthorized actors to perform destructive actions such as deleting the entire database or downloading all stored data, including sensitive files. The vulnerability is evident from HTTP requests targeting the /web/database path, and defenders can search logs for such activity to identify potential exploitation. The flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and CWE-306 (Missing Authentication for Critical Function). The vulnerability has a CVSS v3.1 score of 9.1, reflecting its critical severity, with network attack vector, no required privileges or user interaction, and high impact on confidentiality and availability. The issue has been resolved in NixOS versions 25.11 and 26.05.

For European organizations using NixOS with the affected Odoo package versions, this vulnerability poses a severe risk to business operations and data confidentiality. Unauthorized access to the database manager can lead to complete data exfiltration, including sensitive customer and business information stored within Odoo’s ERP and CRM modules. Additionally, attackers can delete the entire database, causing significant operational downtime and data loss. Given Odoo’s role in managing critical business processes, exploitation could disrupt supply chains, financial operations, and customer relationship management. The lack of authentication and ease of exploitation mean that any exposed Odoo instance on the internet is at immediate risk. This could also lead to regulatory compliance violations under GDPR due to unauthorized disclosure of personal data. The vulnerability’s impact on availability and confidentiality makes it a critical concern for European enterprises relying on NixOS-based Odoo deployments.

European organizations should immediately verify if their Odoo deployments on NixOS are running affected versions (>=21.11 and <25.11). The primary mitigation is to upgrade to patched versions 25.11 or 26.05 where the issue is resolved. Until upgrades can be performed, organizations should restrict network access to the Odoo database manager interface by implementing firewall rules or network segmentation to prevent external access. Additionally, deploying reverse proxies with authentication or VPN access can help protect the interface. Monitoring HTTP access logs for requests to /web/database can help detect attempted exploitation. Organizations should also consider disabling the database manager interface in production environments or configuring Odoo to run in a mode that does not expose this interface externally. Finally, regular backups of Odoo databases should be maintained to enable recovery in case of data deletion.