Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
(browse all)
Permalink CVE-2026-25137
created 7 hours ago
NixOs Odoo database and filestore publicly accessible with default odoo configuration

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.

Affected products

nixpkgs
  • ==>= 21.11, < 25.11

Matching in nixpkgs

pkgs.manual

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin
  • nixos-25.05 -
    • nixos-25.05-small

pkgs.metrics

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin
  • nixos-25.05 -
    • nixos-25.05-small

pkgs.lib-tests

None

  • nixos-unstable -
  • nixos-25.11 -
    • nixpkgs-25.11-darwin
  • nixos-25.05 -
    • nixos-25.05-small

pkgs.nixpkgs-vet

Tool to vet (check) Nixpkgs, including its pkgs/by-name directory

pkgs.nixpkgs-lint

A utility for Nixpkgs contributors to check Nixpkgs for common errors

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-25.11 1
    • nixpkgs-25.11-darwin 1
  • nixos-25.05 -
    • nixos-25.05-small 1

pkgs.nixpkgs-track

Track where Nixpkgs pull requests have reached

pkgs.nixpkgs-manual

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin
  • nixos-25.05 -
    • nixos-25.05-small

pkgs.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.release-checks

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin
  • nixos-25.05 -
    • nixos-25.05-small

pkgs.nixpkgs-pytools

Tools for removing the tedious nature of creating nixpkgs derivations

pkgs.tests.lib-tests

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.nixpkgs-reviewFull

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.nixpkgs-lint-community

Fast semantic linter for Nix using tree-sitter

pkgs.tests.pkgs-lib.formats

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.nixpkgs-openjdk-updater

Updater for Nixpkgs OpenJDK packages

pkgs.python312Packages.nixpkgs

Allows to `from nixpkgs import` stuff in interactive Python sessions

pkgs.python313Packages.nixpkgs

Allows to `from nixpkgs import` stuff in interactive Python sessions

pkgs.lixPackageSets.git.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.python312Packages.nixpkgs-pytools

Tools for removing the tedious nature of creating nixpkgs derivations

pkgs.python313Packages.nixpkgs-pytools

Tools for removing the tedious nature of creating nixpkgs derivations

pkgs.python314Packages.nixpkgs-pytools

Tools for removing the tedious nature of creating nixpkgs derivations

pkgs.tests.trivial-builders.references

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixpkgs-25.11-darwin
  • nixos-25.05 -
    • nixos-25.05-small

pkgs.lixPackageSets.latest.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

  • nixos-25.05 -

pkgs.lixPackageSets.stable.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.lixPackageSets.git.nixpkgs-reviewFull

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.lixPackageSets.lix_2_90.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.lixPackageSets.lix_2_92.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.lixPackageSets.lix_2_93.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.lixPackageSets.lix_2_94.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.python312Packages.nixpkgs-plugin-update

Library for updating plugin collections in Nixpkgs

pkgs.python313Packages.nixpkgs-plugin-update

Library for updating plugin collections in Nixpkgs

pkgs.python314Packages.nixpkgs-plugin-update

Library for updating plugin collections in Nixpkgs

pkgs.lixPackageSets.stable.nixpkgs-reviewFull

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.lixPackageSets.lix_2_94.nixpkgs-reviewFull

Review pull-requests on https://github.com/NixOS/nixpkgs

pkgs.python312Packages.nixpkgs-updaters-library

Boilerplate-less updater library for Nixpkgs ecosystems

  • nixos-25.05 -

pkgs.python313Packages.nixpkgs-updaters-library

Boilerplate-less updater library for Nixpkgs ecosystems

pkgs.python314Packages.nixpkgs-updaters-library

Boilerplate-less updater library for Nixpkgs ecosystems