NixOS Odoo Database Manager Authentication Bypass Vulnerability Allowing Unauthorized Database Access

A vulnerability in the NixOS Odoo package, affecting versions 21.11 prior to 25.11 and 26.05, allows for unauthorized access to the database manager. This access is granted without authentication, enabling malicious actors to delete and download the entire database, including Odoo's file store. The issue arises because Odoo cannot modify its own configuration file on NixOS, leading to the loss of manually set master passwords upon restart. As a result, the database manager, intended for development use, is left publicly accessible without protection. This vulnerability can be confirmed by checking access logs for requests to '/web/database'.

Impact

Exploitation of this vulnerability allows for unauthorized deletion and downloading of the entire Odoo database, including files stored within Odoo's file store.

Remediation

The database manager can be disabled by setting 'services.odoo.settings.options.list_db = false'. If an immediate update is not possible, requests to '/web/database' can be blocked temporarily. It is not advisable to set a master password via the web interface, as it will be lost when Odoo is restarted. Odoo's production documentation also recommends disabling the database manager on any internet-facing systems.