平台
other
组件
nixpkgs
修复版本
21.11.1
CVE-2026-25137 is a critical vulnerability affecting the NixOs Odoo package, an open-source ERP and CRM system. This vulnerability allows unauthorized actors to access and manipulate the entire Odoo database, including sensitive file storage, due to an exposed database manager. Versions 21.11 through 25.11 (excluding 25.11) are affected. A fix is available in version 25.11.
The impact of CVE-2026-25137 is severe. An attacker can exploit this vulnerability to gain complete control over the Odoo database, including all stored data. This includes customer information, financial records, inventory data, and potentially sensitive documents stored within the Odoo file store. The ability to delete the database represents a catastrophic data loss scenario. Successful exploitation could lead to significant financial losses, reputational damage, and regulatory penalties. The exposed database manager lacks any authentication, making it trivially accessible to anyone with network access to the NixOs Odoo instance.
CVE-2026-25137 was publicly disclosed on February 2, 2026. The vulnerability's simplicity and the potential for significant data compromise suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using NixOs-based Odoo deployments, particularly those with publicly accessible instances or those lacking robust network segmentation, are at significant risk. Shared hosting environments where multiple Odoo instances share the same server infrastructure are also particularly vulnerable.
• linux / server:
journalctl -u odoo -g '/web/database'• generic web:
curl -I <odooinstance>/web/database• generic web:
Grep access logs for requests to /web/database.
disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25137 is to immediately upgrade to Odoo version 25.11 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting network access to the database manager. This can be achieved through firewall rules or network segmentation to limit access to trusted IP addresses only. Monitor Odoo access logs for suspicious activity, specifically requests to the /web/database endpoint. Implement a Web Application Firewall (WAF) with rules to block unauthorized access to the database manager. After upgrading, confirm the vulnerability is resolved by attempting to access the database manager from an untrusted network and verifying that access is denied.
Actualice el paquete nixpkgs a la versión 25.11 o superior. Esto solucionará la vulnerabilidad que expone la base de datos y el filestore de Odoo públicamente. Asegúrese de reiniciar Odoo después de la actualización para que los cambios surtan efecto.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25137 is a critical vulnerability in NixOs Odoo versions 21.11 to <25.11 that allows unauthorized access to the database manager, enabling data deletion and download.
You are affected if you are running NixOs Odoo versions 21.11 through 25.10 (excluding 25.11).
Upgrade to Odoo version 25.11 or later. As a temporary workaround, restrict network access to the database manager.
While no public exploits are currently known, the vulnerability's simplicity suggests a high probability of exploitation.
Refer to the NixOs security announcements for the latest information: https://security.nixos.org/
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。