Summary
Every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store.
Am I affected?
Every NixOS configuration using services.odoo with the default settings is impacted.
What do I need to do?
Make sure the database manager is disabled, follow the remediation steps in the GitHub Security Advisory. The security advisory also contains indications on how to spot active exploitations.
Starting with the following pull requests, the database manager has been disabled by default:
- Unstable: nixos/odoo: disable the database manager by default by LeSuisse · Pull Request #485310 · NixOS/nixpkgs · GitHub
- 25.11: [Backport release-25.11] nixos/odoo: disable the database manager by default by nixpkgs-ci[bot] · Pull Request #485454 · NixOS/nixpkgs · GitHub
Acknowledgement
We would like to thank @e1mo from Cyberus Technology for responsibly disclosing this issue, providing detailed analysis, and proposing a fix.