免费扫描
CRITICALCVE-2026-25137CVSS 9.1

NixOs Odoo database and filestore publicly accessible with default odoo configuration

翻译中…

平台

other

组件

nixpkgs

修复版本

21.11.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-25137 is a critical vulnerability affecting the NixOs Odoo package, an open-source ERP and CRM system. This vulnerability allows unauthorized actors to access and manipulate the entire Odoo database, including sensitive file storage, due to an exposed database manager. Versions 21.11 through 25.11 (excluding 25.11) are affected. A fix is available in version 25.11.

影响与攻击场景翻译中…

The impact of CVE-2026-25137 is severe. An attacker can exploit this vulnerability to gain complete control over the Odoo database, including all stored data. This includes customer information, financial records, inventory data, and potentially sensitive documents stored within the Odoo file store. The ability to delete the database represents a catastrophic data loss scenario. Successful exploitation could lead to significant financial losses, reputational damage, and regulatory penalties. The exposed database manager lacks any authentication, making it trivially accessible to anyone with network access to the NixOs Odoo instance.

利用背景翻译中…

CVE-2026-25137 was publicly disclosed on February 2, 2026. The vulnerability's simplicity and the potential for significant data compromise suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

Organizations using NixOs-based Odoo deployments, particularly those with publicly accessible instances or those lacking robust network segmentation, are at significant risk. Shared hosting environments where multiple Odoo instances share the same server infrastructure are also particularly vulnerable.

检测步骤翻译中…

• linux / server:

journalctl -u odoo -g '/web/database'

• generic web:

curl -I <odooinstance>/web/database

• generic web: Grep access logs for requests to /web/database.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
报告1 份威胁报告

EPSS

0.03% (10% 百分位)

CISA SSVC

利用情况none
可自动化yes
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H9.1CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityNone数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
无 — 无完整性影响。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件nixpkgs
供应商NixOS
影响范围修复版本
>= 21.11, < 25.11 – >= 21.11, < 25.1121.11.1

弱点分类 (CWE)

CWE-552CWE-306

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-25137 is to immediately upgrade to Odoo version 25.11 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting network access to the database manager. This can be achieved through firewall rules or network segmentation to limit access to trusted IP addresses only. Monitor Odoo access logs for suspicious activity, specifically requests to the /web/database endpoint. Implement a Web Application Firewall (WAF) with rules to block unauthorized access to the database manager. After upgrading, confirm the vulnerability is resolved by attempting to access the database manager from an untrusted network and verifying that access is denied.

修复方法翻译中…

Actualice el paquete nixpkgs a la versión 25.11 o superior. Esto solucionará la vulnerabilidad que expone la base de datos y el filestore de Odoo públicamente. Asegúrese de reiniciar Odoo después de la actualización para que los cambios surtan efecto.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-25137 — Database Exposure in NixOs Odoo?

CVE-2026-25137 is a critical vulnerability in NixOs Odoo versions 21.11 to <25.11 that allows unauthorized access to the database manager, enabling data deletion and download.

Am I affected by CVE-2026-25137 in NixOs Odoo?

You are affected if you are running NixOs Odoo versions 21.11 through 25.10 (excluding 25.11).

How do I fix CVE-2026-25137 in NixOs Odoo?

Upgrade to Odoo version 25.11 or later. As a temporary workaround, restrict network access to the database manager.

Is CVE-2026-25137 being actively exploited?

While no public exploits are currently known, the vulnerability's simplicity suggests a high probability of exploitation.

Where can I find the official NixOs advisory for CVE-2026-25137?

Refer to the NixOs security announcements for the latest information: https://security.nixos.org/

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE