Nixpkgs security tracker

Login with GitHub

Suggestions search

Dismissed
Filter by:
With package: nixpkgs-review

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-25137
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 months, 2 weeks ago by @Scrumplex Activity log
  • Created suggestion 3 months, 3 weeks ago
  • @Scrumplex dismissed 3 months, 2 weeks ago
NixOs Odoo database and filestore publicly accessible with default odoo configuration

The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.

Affected products

nixpkgs
  • ==>= 21.11, < 25.11

Matching in nixpkgs

pkgs.manual

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.metrics

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.lib-tests

None

  • nixos-unstable -
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.nixpkgs-fmt

Nix code formatter for nixpkgs

  • nixos-unstable 1.3.0
    • nixpkgs-unstable 1.3.0
    • nixos-unstable-small 1.3.0
  • nixos-25.11 -
    • nixos-25.11-small 1.3.0
    • nixpkgs-25.11-darwin 1.3.0

pkgs.nixpkgs-vet

Tool to vet (check) Nixpkgs, including its pkgs/by-name directory

  • nixos-unstable 0.1.4
    • nixpkgs-unstable 0.1.4
    • nixos-unstable-small 0.1.4
  • nixos-25.11 -
    • nixos-25.11-small 0.1.4
    • nixpkgs-25.11-darwin 0.1.4

pkgs.nixpkgs-lint

A utility for Nixpkgs contributors to check Nixpkgs for common errors

  • nixos-unstable 1
    • nixpkgs-unstable 1
    • nixos-unstable-small 1
  • nixos-25.11 -
    • nixos-25.11-small 1
    • nixpkgs-25.11-darwin 1

pkgs.nixpkgs-track

Track where Nixpkgs pull requests have reached

  • nixos-unstable 0.3.0
    • nixpkgs-unstable 0.5.0
    • nixos-unstable-small 0.5.0
  • nixos-25.11 -
    • nixos-25.11-small 0.3.0
    • nixpkgs-25.11-darwin 0.3.0

pkgs.nixpkgs-manual

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.nixpkgs-review

Review pull-requests on https://github.com/NixOS/nixpkgs

  • nixos-unstable 3.5.1
    • nixpkgs-unstable 3.6.0
    • nixos-unstable-small 3.6.0
  • nixos-25.11 -
    • nixos-25.11-small 3.5.1
    • nixpkgs-25.11-darwin 3.5.1

pkgs.release-checks

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.nixpkgs-pytools

Tools for removing the tedious nature of creating nixpkgs derivations

  • nixos-unstable 1.3.0
    • nixpkgs-unstable 1.3.0
    • nixos-unstable-small 1.3.0
  • nixos-25.11 -
    • nixos-25.11-small 1.3.0
    • nixpkgs-25.11-darwin 1.3.0

pkgs.tests.lib-tests

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small

pkgs.nixpkgs-reviewFull

Review pull-requests on https://github.com/NixOS/nixpkgs

  • nixos-unstable 3.5.1
    • nixpkgs-unstable 3.6.0
    • nixos-unstable-small 3.6.0
  • nixos-25.11 -
    • nixos-25.11-small 3.5.1
    • nixpkgs-25.11-darwin 3.5.1 
This CVE was filed in Nixpkgs.