CVE-2018-14887
Description
Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Odoo 9.0–11.0 mishandles Host header placeholders in the dbfilter component, enabling database name disclosure and denial of service.
Vulnerability
The dbfilter routing component in Odoo Community and Enterprise editions versions 9.0, 10.0, and 11.0 and earlier improperly sanitizes Host header placeholders (%d for domain and %h for host) when building the database filter expression. This flaw exists in the dynamic database assignment mechanism that administrators can configure to host multiple databases on a single server. The vulnerability is described in the official advisory ODOO-SA-2018-08-07-11 (CVE-2018-14887) [1].
Exploitation
An attacker must be able to send network requests to a vulnerable Odoo instance. Successful exploitation requires that the web server in front of Odoo allows arbitrary domain names (e.g., via a wildcard vhost configuration) or that the Odoo service is directly exposed to the internet. In such scenarios, the attacker can craft a request with a malicious Host header that, when processed by the dbfilter mechanism, injects code into the regular expression used for database selection [1].
Impact
If exploited, this vulnerability can lead to two distinct outcomes: (1) information disclosure – the attacker can learn the names of available databases hosted on the same server, even if database listing has been explicitly disabled by the administrator; and (2) denial of service – the attacker can craft a request that results in a deliberately inefficient regular expression, consuming server resources and denying access to legitimate users. The CVSS v3 base score for this vulnerability is 6.5 (Medium). Odoo S.A. reports that the specific configuration required for exploitation is considered very rare and unlikely in practice, and they are not aware of any malicious exploitation in the wild [1].
Mitigation
Odoo S.A. released security fixes for this vulnerability. The advisory ODOO-SA-2018-08-07-11 indicates that the issue was addressed in later releases. Administrators should upgrade to Odoo versions later than 11.0. If an immediate upgrade is not possible and the system uses a wildcard virtual host or exposes Odoo directly, it is recommended to restrict Host header values and avoid using the %d or %h placeholders in the dbfilter configuration. Users of the affected versions (9.0, 10.0, 11.0) should apply patches from the official Odoo repository [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Odoo/Odoo Communitydescription
- Range: <=11.0
- Range: <=11.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/odoo/odoo/commits/mastermitrex_refsource_MISC
- github.com/odoo/odoo/issues/32511mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.