CVE-2026-25137— Nixpkgs 安全漏洞

NixOs Odoo database and filestore publicly accessible with default odoo configuration

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

对外部实体的文件或目录可访问

Nixpkgs 安全漏洞

Nixpkgs是NixOS开源的一个 100000 多个软件包的集合。可以使用 Nix 包管理器安装。 Nixpkgs 21.11至25.11之前版本和26.05之前版本存在安全漏洞，该漏洞源于数据库管理器公开暴露且无身份验证，可能导致未经授权的数据库访问。

N/A

N/A