CVE-2018-14866

Vulnerability

Incorrect access control in the TransientModel framework of Odoo Community and Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own via RPC calls before garbage collection occurs [1]. The security model for transient records was incomplete, making it possible for users to retrieve field values from records owned by others. Affected versions include Odoo 9.0, 10.0, and 11.0 (both Community and Enterprise) [1].

Exploitation

An attacker with an unprivileged user account (including portal users) can make specially crafted RPC requests to access specific transient records by guessing or enumerating record IDs [1]. The attack is network- exploitable and requires no special privileges beyond an authenticated session. The attacker must act between the creation of the transient record and its automatic garbage collection, which provides a limited window for exploitation [1].

Impact

Successful exploitation allows the attacker to read field values from transient records they do not own, potentially exposing sensitive business or personal data [1]. The impact is limited to confidentiality (low), with no integrity or availability impact. The CVSSv3 base score is 3.5 (Low) [1].

Mitigation

Odoo has released a security advisory (ODOO-SA-2018-08-07-9) and patches for this issue [1]. Users should upgrade to Odoo 12.0 or later, or apply the recommended patches for affected versions 9.0, 10.0, and 11.0. There are no known workarounds; upgrading is the only mitigation.