CVE- 2026-25137 is a critical vulnerability in Odoo deployments running on NixOS, rated CVSS 9.1, which leaves the database manager and thereby an organisation’s data exposed to the public Internet. The flaw arises from a conflict between Odoo’s security model and NixOS’s immutability, meaning Odoo cannot persist the auto-generated master password and reverts to an insecure state on restart; if no master password is set, the next visiting user is prompted to create one.
According to the security advisory: “However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password… This means, the password is lost when restarting Odoo.” Attackers can gain full administrative control by simply visiting the database manager interface, enabling total data exfiltration and potential destruction of production databases.
Patches have been released for NixOS unstable/26.05 (Patch #485310) and NixOS 25.05 (Patch #485454); until applied, administrators are advised to block all traffic to /web/database at the firewall level, and to disable the database manager feature in the NixOS configuration with the line: services.odoo.settings[.]options.list_db = false;.