The Real Odoo Threat Landscape in 2026
Most Odoo breach post-mortems we review share a common thread: the attacker did not exploit a zero-day in the Odoo core. They walked through a door the operator left open — a default master password, an exposed PostgreSQL port, an admin account with a six-character password, a backup bucket with public read. Odoo itself is reasonably well-audited; the operational environment around it is usually not. Before you harden anything, you need to know what you are defending against.
Credential stuffing is the single most common attack we see in production logs. Attackers take password dumps from unrelated breaches and replay them against /web/login at low rates — ten attempts per minute per IP, rotating through thousands of proxies. Odoo 19's native rate limiting is minimal. Without an edge WAF or fail2ban, a patient attacker will eventually find an employee who reused a password.
SQL injection is rare in core Odoo because the ORM parameterizes queries. It becomes a serious risk in custom modules that bypass the ORM — any developer using self.env.cr.execute() with f-string interpolation creates an injection point. We have seen this pattern in third-party modules from the OCA and from boutique shops. Always audit custom code for raw cursor usage.
XSS in custom QWeb templates follows a similar pattern. Odoo's QWeb engine auto-escapes by default, but developers reach for t-raw when they want to render HTML from a field. If that field is user-editable — a product description, a website snippet, a contact note — an attacker with contributor access can plant a script tag that fires in an admin's browser. Session cookie theft follows within minutes.
Session hijacking matters most on multi-tenant infrastructure and on public Wi-Fi. Odoo session cookies are not bound to IP or fingerprint; if an attacker obtains a valid session_id, they become the user. TLS prevents sniffing in transit, but cookies stolen via XSS, malware, or logged-in laptops left in cafes are equally effective.
Denial-of-service against Odoo usually targets the most expensive endpoints: report generation, CSV exports, the website's search endpoint, and the /web/database/manager page. A single attacker with a residential proxy pool can tip an undersized instance into worker starvation in under five minutes. Worker process limits and an edge rate limiter are non-negotiable.
Ransomware via backups is the 2026 growth area. Attackers gain a foothold on the app server, enumerate the filestore and cron-based backup scripts, then encrypt both the live database and the backup directory before ransom. If your backups sit on the same host as the database — or on a mounted NFS share the app server can write to — you have no backup, you have a second copy of the ransomware.
Finally, insider threat. The offboarded developer who kept an SSH key, the finance manager downloading the full customer list the week before they resign, the consultant with base.group_system long after the project ended. Access reviews catch this; logs prove it after the fact. Most Odoo deployments have neither.
Infrastructure Hardening: Network, Host, and Edge
Security starts below the application. If your Odoo host is reachable on every port, nothing you configure inside Odoo will save you. We deploy every production Odoo instance into a private VPC with three tiers — public edge (reverse proxy), application tier (Odoo workers), and data tier (PostgreSQL) — each in its own subnet, each with its own security group. Only the reverse proxy is reachable from the internet. The app server accepts connections only from the reverse proxy. The database accepts connections only from the app server.
UFW Firewall Rules (Host Level)
Even with VPC-level security groups, we enforce a host firewall. Defense in depth. The rules below allow HTTPS from the world, plus SSH only from a bastion host. Everything else is dropped.
# Reset and set defaults
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
# SSH from bastion only (replace with your bastion's private IP)
ufw allow from 10.0.1.10 to any port 2222 proto tcp comment 'SSH from bastion'
# HTTP/HTTPS from the reverse proxy subnet only
ufw allow from 10.0.2.0/24 to any port 8069 proto tcp comment 'Odoo HTTP'
ufw allow from 10.0.2.0/24 to any port 8072 proto tcp comment 'Odoo longpolling'
# Enable and verify
ufw --force enable
ufw status numberedSSH Hardening
Password-based SSH on port 22 is still the most scanned attack surface on the internet. Three changes close 99% of the noise: move off port 22, disable password authentication, and install fail2ban. We also disable root login and restrict SSH to a named admin group.
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
AllowGroups ssh-admins
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
Protocol 2[sshd]
enabled = true
port = 2222
maxretry = 3
findtime = 600
bantime = 3600
[odoo-auth]
enabled = true
port = https
filter = odoo-auth
logpath = /var/log/odoo/odoo-server.log
maxretry = 5
findtime = 600
bantime = 86400 The odoo-auth filter (in /etc/fail2ban/filter.d/odoo-auth.conf) matches lines like Login failed for db:... login:... from <HOST>. Five failed logins in ten minutes triggers a 24-hour ban. Pair this with Cloudflare or a cloud WAF for IP reputation blocking before traffic reaches your host.
Nginx Reverse Proxy with Rate Limiting and TLS 1.3
Nginx sits in front of every production Odoo instance we run. It terminates TLS, enforces rate limits, adds security headers, and shields Odoo workers from slow-loris attacks. Our base configuration is documented in depth in our Nginx Reverse Proxy for Odoo 19 guide; the security-critical excerpt is below.
# Rate limits: 10 req/s burst 20 on login, 30 req/s for everything else
limit_req_zone $binary_remote_addr zone=odoo_login:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=odoo_general:10m rate=30r/s;
limit_conn_zone $binary_remote_addr zone=odoo_conn:10m;
upstream odoo { server 10.0.3.10:8069; }
upstream odoochat { server 10.0.3.10:8072; }
server {
listen 443 ssl http2;
server_name erp.example.com;
# TLS 1.3 only, modern ciphers
ssl_certificate /etc/letsencrypt/live/erp.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/erp.example.com/privkey.pem;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Per-IP connection cap
limit_conn odoo_conn 20;
# Block DB manager from the public internet
location ~ ^/(web/database/(manager|selector)) {
deny all;
return 404;
}
# Aggressive limit on login endpoint
location = /web/login {
limit_req zone=odoo_login burst=20 nodelay;
proxy_pass http://odoo;
include proxy_params;
}
# General traffic
location / {
limit_req zone=odoo_general burst=50 nodelay;
proxy_pass http://odoo;
include proxy_params;
}
# Longpolling / websocket
location /websocket {
proxy_pass http://odoochat;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
include proxy_params;
}
client_max_body_size 100M;
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name erp.example.com;
return 301 https://$host$request_uri;
}max-age=63072000; includeSubDomains; preload is a two-year commitment. Once you submit to the HSTS preload list, browsers will refuse HTTP connections to your domain and every subdomain. Start with a one-week max-age (max-age=604800), confirm every subdomain serves valid TLS, then escalate to two years and submit for preload.
Application Security: Passwords, MFA, Access Groups, and Sessions
With the network locked down, the next attack surface is the Odoo application itself. Four controls matter more than anything else: strong password policies, multi-factor authentication on every privileged account, least-privilege access groups, and aggressive session timeouts. Getting these four right eliminates most of the credential-based attack vectors in our threat model.
Password Policy (Odoo 19 Native)
Odoo 19 ships with a native password policy configurable in Settings > General Settings > Permissions > Password Policy. Set a minimum length of 12 characters. Longer is better, but 12 is the practical floor that balances usability and entropy. Combine this with a complexity rule (upper, lower, number, symbol) and a history check that prevents reuse of the last five passwords.
<odoo>
<data noupdate="0">
<record id="auth_password_policy.minlength" model="ir.config_parameter">
<field name="key">auth_password_policy.minlength</field>
<field name="value">12</field>
</record>
<record id="auth_password_policy.minclasses" model="ir.config_parameter">
<field name="key">auth_password_policy.minclasses</field>
<field name="value">3</field>
</record>
</data>
</odoo>MFA / 2FA via auth_totp
Odoo 19 includes auth_totp in the community edition. Install it, enforce it for every user in the base.group_system group, and strongly encourage it for everyone else. The auth_totp_mail module adds email as a fallback second factor for users who lose their authenticator. We disable email-only 2FA for admins — it is too easy to compromise via mailbox takeover — and require TOTP or hardware keys instead.
from odoo import models, api
from odoo.exceptions import ValidationError
class ResUsers(models.Model):
_inherit = 'res.users'
@api.constrains('groups_id', 'totp_secret')
def _check_admin_totp_required(self):
admin_group = self.env.ref('base.group_system')
for user in self:
if admin_group in user.groups_id and not user.totp_secret:
raise ValidationError(
f"User {user.login} is an administrator. "
"TOTP two-factor authentication is mandatory "
"before administrative privileges can be granted."
)Access Groups, Record Rules, and Least Privilege
Odoo's permission model has three layers: groups (coarse capabilities like "Accounting: Accountant"), access rights (per-model CRUD), and record rules (per-record filters via domain). The default distribution is too permissive for production. A fresh Odoo install gives any internal user read access to most HR, CRM, and accounting data. Least privilege means starting from zero and granting explicitly.
We document our full access-control playbook in Odoo 19 Access Control: Groups, Record Rules & Field-Level Security; the security-critical pattern is shown below. It restricts sales representatives to seeing only their own opportunities — even though they are in the Sales User group.
<record id="crm_lead_personal_rule" model="ir.rule">
<field name="name">CRM Lead: Own Records Only</field>
<field name="model_id" ref="crm.model_crm_lead"/>
<field name="domain_force">
[('user_id', '=', user.id)]
</field>
<field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="True"/>
<field name="perm_create" eval="True"/>
<field name="perm_unlink" eval="False"/>
</record>
<!-- Manager rule: team-wide visibility -->
<record id="crm_lead_manager_rule" model="ir.rule">
<field name="name">CRM Lead: Team Access</field>
<field name="model_id" ref="crm.model_crm_lead"/>
<field name="domain_force">
['|', ('team_id.user_id', '=', user.id),
('team_id.member_ids', 'in', [user.id])]
</field>
<field name="groups" eval="[(4, ref('sales_team.group_sale_manager'))]"/>
</record>| Role | Group | Scope | Enforce |
|---|---|---|---|
| Admin | base.group_system | Full (break-glass only) | MFA + audit log review |
| Sales Rep | sales_team.group_sale_salesman | Own leads + quotes | Record rule on user_id |
| Sales Manager | sales_team.group_sale_manager | Team leads + reports | Record rule on team_id |
| Accounting | account.group_account_user | Own journal entries | Journal security rule |
| HR | hr.group_hr_user | Department employees | Department record rule |
Session Timeout and Cookie Security
Odoo sessions default to 7 days. For an ERP with financial data, that is a liability. A stolen laptop, a shared browser in a coworking space, or an unattended kiosk becomes a week-long window into your business. We set production session lifetimes to 8 hours for regular users and 1 hour for administrators, with idle timeout at 30 minutes.
# odoo.conf
session_cookie_secure = True
session_cookie_samesite = Lax
session_cookie_httponly = True
# Keep workers rotating to reduce session sprawl
max_cron_threads = 2
limit_time_real = 120
limit_request = 8192from datetime import datetime, timedelta
from odoo import http
from odoo.http import request
class SessionSecurity(http.Controller):
@http.route('/web/session/check', type='json', auth='user')
def check_idle(self):
last = request.session.get('last_activity')
now = datetime.utcnow()
is_admin = request.env.user.has_group('base.group_system')
max_idle = timedelta(minutes=15 if is_admin else 30)
if last and now - datetime.fromisoformat(last) > max_idle:
request.session.logout(keep_db=True)
return {'expired': True}
request.session['last_activity'] = now.isoformat()
return {'expired': False}Content Security Policy and Frame Headers
A strict Content Security Policy stops most XSS from ever firing. Odoo 19's default CSP is permissive to support website builder features; for the backend, we tighten it significantly. Combine with X-Frame-Options: SAMEORIGIN to prevent clickjacking against logged-in admins, and X-Content-Type-Options: nosniff to stop MIME-sniffing attacks. These headers are set at the nginx layer (shown in the infrastructure section) because nginx gets the last word on response headers.
Database Security: Master Password, DB Listing, and PostgreSQL Access
The Odoo database layer is where most catastrophic compromises happen. If an attacker owns your database, they own every record in your company. Three controls matter: the master password must be strong and unique, database listing must be disabled, and PostgreSQL must refuse connections from anywhere but the app server.
Master Password — Never the Default
The admin_passwd directive in odoo.conf controls access to the database manager — the endpoint that can create, drop, back up, or restore databases. Odoo ships with admin as the default. We have audited dozens of publicly-exposed Odoo instances where /web/database/manager was reachable and the master password was still admin. Those instances have already been breached; they just do not know it yet.
# Generate a strong master password (store in a secrets manager)
# python -c "import secrets; print(secrets.token_urlsafe(48))"
admin_passwd = 9ZkR2vQx...paste-48-chars-here
# Never list databases to unauthenticated users
list_db = False
# Restrict to one database per instance (prevents tenant enumeration)
db_name = production_db
dbfilter = ^production_db$
# PostgreSQL connection — local only
db_host = 127.0.0.1
db_port = 5432
db_user = odoo_prod
db_password = rotated-via-secrets-manager
db_sslmode = requirePostgreSQL pg_hba.conf — Lock It Down
PostgreSQL's pg_hba.conf is the authoritative source for who can connect and how. The default Debian/Ubuntu install allows trust auth over local sockets, which is fine on a single host but lethal on shared infrastructure. Force scram-sha-256 everywhere, bind PostgreSQL to a private IP, and refuse connections from anywhere except the Odoo app server.
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
local all all scram-sha-256
host odoo_prod odoo_prod 10.0.3.10/32 scram-sha-256
# Nothing else. Reject all other connections.
host all all 0.0.0.0/0 reject Also set listen_addresses = '10.0.4.10' in postgresql.conf — the private IP of the database subnet — so PostgreSQL never binds to a public interface. Enable TLS between app and database with ssl = on and a certificate issued by an internal CA.
The cleanest approach is to block /web/database/* at the nginx layer (shown in the infra section) and never expose the database manager. Backups and restores run from the app server over SSH or via the PostgreSQL tools directly. If an operator needs to create a new database, they do so through a CLI tool on the bastion — not through a browser.
Backup Encryption at Rest
Odoo's native backup feature produces a ZIP containing a plain-text SQL dump and the entire filestore. Unencrypted. If that ZIP ends up in an S3 bucket with a misconfigured policy, your entire database is one public URL away from the internet. Always encrypt backups with age or gpg before they leave the host, and use bucket policies that enforce server-side encryption and block public access.
Backup and Recovery: 3-2-1, Encrypted, Tested
A backup strategy is not real until it has been restored. We have walked into ransomware incidents where the customer had six months of nightly backups — all of which were mounted on the same host the attacker owned, all of which were encrypted alongside the live database. The 3-2-1 rule exists specifically for this scenario: three copies of your data, on two different media, with one copy offsite and offline.
| Copy | Location | Frequency | Retention | Encrypted |
|---|---|---|---|---|
| 1. Live DB | Primary PostgreSQL | Continuous (WAL) | N/A | TLS + at-rest LUKS |
| 2. Hot backup | Secondary host, same region | Hourly pg_basebackup | 7 days | age encryption |
| 3. Cold offsite | S3 Glacier or Backblaze B2 | Daily | 90 days + monthly for 7 yrs | age + SSE-KMS |
#!/usr/bin/env bash
set -euo pipefail
DB_NAME="production_db"
TS=$(date -u +%Y%m%dT%H%M%SZ)
STAGE="/var/backups/odoo/${DB_NAME}-${TS}"
AGE_RECIPIENT="age1xxxx...public-key" # Public key; private key is offline
S3_BUCKET="s3://company-odoo-backups-glacier"
mkdir -p "${STAGE}"
# 1. PostgreSQL dump (custom format, parallel)
pg_dump -h 127.0.0.1 -U odoo_prod -F c -j 4 \
-f "${STAGE}/db.dump" "${DB_NAME}"
# 2. Filestore
tar -C /var/lib/odoo/filestore -czf "${STAGE}/filestore.tar.gz" "${DB_NAME}"
# 3. Encrypt both artifacts with age (never decrypt on this host)
age -r "${AGE_RECIPIENT}" -o "${STAGE}/db.dump.age" "${STAGE}/db.dump"
age -r "${AGE_RECIPIENT}" -o "${STAGE}/filestore.tar.gz.age" "${STAGE}/filestore.tar.gz"
rm -f "${STAGE}/db.dump" "${STAGE}/filestore.tar.gz"
# 4. Upload to Glacier with SSE-KMS
aws s3 cp "${STAGE}/" "${S3_BUCKET}/${DB_NAME}/${TS}/" \
--recursive \
--storage-class DEEP_ARCHIVE \
--sse aws:kms \
--sse-kms-key-id alias/odoo-backups
# 5. Local retention: keep last 3 hours on disk
find /var/backups/odoo -maxdepth 1 -type d -mmin +180 -exec rm -rf {} +
logger -t odoo-backup "Backup ${DB_NAME} ${TS} uploaded"RPO, RTO, and the Monthly Restore Drill
Declare your recovery objectives explicitly. For typical mid-market Odoo deployments we target RPO of 1 hour (maximum tolerable data loss) and RTO of 4 hours (maximum tolerable downtime). These numbers drive the backup frequency and the hot-standby architecture. Once per month, on a scheduled Tuesday, we run a full restore drill: pull the most recent Glacier snapshot into a clean VM, restore the database, boot Odoo, verify a known-good record set. If the drill fails or takes longer than the RTO, we fix it that week. Untested backups are not backups.
Monitoring, Logging, and Alerting
You cannot respond to an incident you cannot see. Production Odoo generates four signal streams worth monitoring: application errors, authentication events, database performance, and availability. We pipe all four into a central stack — Loki or ELK for logs, Sentry or Glitchtip for errors, Prometheus and Grafana for metrics, and PagerDuty for alerting.
# In a small custom module, addons/security_monitoring/__init__.py
import os
import sentry_sdk
from sentry_sdk.integrations.logging import LoggingIntegration
dsn = os.environ.get('SENTRY_DSN')
if dsn:
sentry_sdk.init(
dsn=dsn,
environment=os.environ.get('ODOO_ENV', 'production'),
release=os.environ.get('ODOO_RELEASE', 'unknown'),
traces_sample_rate=0.05,
send_default_pii=False, # Never ship PII to error tracker
integrations=[LoggingIntegration(
level=None, # Capture all levels as breadcrumbs
event_level='ERROR', # Send ERRORs as Sentry events
)],
)Centralized Logs and Failed-Login Alerts
Ship Odoo, nginx, PostgreSQL, and auth logs to a central collector. We use Promtail -> Loki -> Grafana for most deployments; ELK works just as well if you already have the infrastructure. Critical alerts include: 10+ failed logins from a single IP in 60 seconds, any successful login by a base.group_system user outside business hours, any query exceeding 30 seconds, any uptime probe failure lasting more than 2 minutes, and any backup job that exits non-zero.
groups:
- name: odoo-security
interval: 30s
rules:
- alert: OdooLoginBruteForce
expr: |
sum by (remote_addr) (
count_over_time(
{job="odoo"} |~ "Login failed" [1m]
)
) > 10
for: 1m
labels: { severity: critical, team: security }
annotations:
summary: "Brute-force login attempt on {{ $labels.remote_addr }}"
- alert: OdooAdminLoginOffHours
expr: |
sum(count_over_time(
{job="odoo"} |~ "admin.*login success" [5m]
)) > 0 and ON() (hour() < 7 or hour() > 20)
for: 0m
labels: { severity: high, team: security } Finally, set up synthetic uptime monitoring from a location outside your cloud provider. UptimeRobot, Better Stack, or a custom Pingdom check that loads /web/login, confirms a 200 response, and times the TLS handshake. If your own infrastructure goes down, your internal monitoring goes with it — external checks are the only alert that survives a full-region outage.
Compliance: SOC 2, HIPAA, PIPEDA, GDPR, PCI-DSS
The controls in this guide are not a compliance program on their own — but they cover the majority of technical requirements that auditors check. Here is how the hardening above maps to the frameworks most Odoo customers face:
SOC 2 (most common for SaaS customers): the CC6 series (logical access) is satisfied by MFA + least-privilege groups + record rules + quarterly access reviews. CC7 (operations) maps to centralized logging and the monthly restore drill. CC8 (change management) requires a CI/CD pipeline with reviewed merges — see our production installation guide for the recommended setup.
HIPAA (healthcare, PHI): requires encryption in transit (TLS 1.3), at rest (LUKS on the database volume + encrypted backups), and an audit trail of every access to PHI. Odoo's mail.thread audit log covers record-level access; for field-level PHI access logging, a custom audit module is usually needed.
PIPEDA (Canada) and GDPR (EU): data minimization, right to erasure, breach notification within 72 hours. The backup encryption and access control above cover the technical surface; the legal and process work is separate.
PCI-DSS: the simplest answer is "do not store card data in Odoo." Use a PCI-scoped payment processor (Stripe, Adyen) and keep Odoo out of the cardholder data environment. If card data must flow through Odoo, scope expands dramatically — network segmentation, quarterly ASV scans, annual penetration testing, and formal change control all apply.
Frequently Asked Questions
The Odoo core is reasonably well-audited and follows sensible defaults for CSRF, ORM-level injection protection, and password hashing. However, a default install exposes the database manager, uses weak session timeouts, ships with permissive CSP, and does not enforce MFA. "Secure out of the box" is not accurate for a production deployment — every instance needs the hardening steps in this guide.
For any internet-facing deployment, yes. Cloudflare, AWS WAF, or a self-hosted ModSecurity ruleset blocks the highest-volume noise (credential stuffing, scanner traffic, basic injection attempts) before it ever reaches Odoo. nginx rate limiting is complementary, not a substitute.
Every user with access to financial, HR, or customer data. Enforcement-by-group is the right lever: require it for base.group_system, accounting, HR, and anyone with export rights. Public-portal users (customers, vendors) do not need TOTP unless they can see PII or make purchases without a separate payment step.
Block /web/database/manager at the reverse proxy and change the master password from the default. This is a five-minute change that eliminates the most common catastrophic-compromise vector we see in incident response work.
Every 90 days for the master password, or immediately after any offboarding of someone who had access to it. The PostgreSQL password should be stored in a secrets manager (Vault, AWS Secrets Manager, Doppler) and rotated automatically on the same cadence. Never commit either to a git repo, including in Ansible inventories.
Both platforms handle infrastructure hardening — TLS, DDoS, OS patching, backups — well. Application-layer security (MFA, access groups, session timeouts, password policy, custom module review) is still the customer's responsibility. A managed platform reduces the attack surface; it does not eliminate it.
Read the source. Look for sudo() in manifests, raw SQL in model code, t-raw in QWeb templates, requests to external URLs, and any exec() or eval() calls. Any of those warrants a line-by-line review. Pin the module version in your requirements and re-audit before every upgrade.
A full review of the areas in this guide: infrastructure configuration, Odoo access groups and record rules, custom module code audit for SQL/XSS/sudo misuse, backup encryption and restore drill, monitoring coverage, and a compliance mapping for whatever framework applies. We deliver a prioritized remediation plan and can implement the fixes directly. Book a free initial audit below.
Optimization Metadata
Production-grade Odoo hardening — infrastructure, MFA, access groups, database, backups, monitoring, compliance. Free audit available.
odoo security
odoo security checklist, secure odoo deployment, odoo hardening, odoo production security