Odoo softwareSoftware SecuritySecure by designIndependent Security AuditsOWASP Top VulnerabilitiesReporting Security Vulnerabilities

Odoo software

Software Security

Odoo is open source, so the whole codebase is continuously under examination by Odoo users and contributors worldwide. Community bug reports are therefore one important source of feedback regarding security. We encourage developers to audit the code and report security issues.


The Odoo R&D processes have code review steps that include security aspects, for new and contributed pieces of code.

Secure by design

Odoo is designed in a way that prevents introducing most common security vulnerabilities:


  • SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries.
  • XSS attacks are prevented by the use of a high-level templating system that automatically escapes injected data.
  • The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities.

See also the OWASP Top Vulnerabilities section to see how Odoo is designed from the ground up to prevent such vulnerabilities from appearing.

Independent Security Audits

Odoo is regularly audited by independent companies that are hired by our customers and prospects to perform audits and penetration tests. The Odoo Security Team receives the results and takes appropriate corrective measures whenever it is necessary.


OWASP Top Vulnerabilities

Here is where Odoo stands on the top security issue for web applications, as listed by the Open Web Application Security Project (OWASP):


Injection Flaws

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Malicious File Execution

Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.

Insecure Direct Object Reference

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

Insecure Cryptographic Storage

Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.

Insecure Communications

Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.

Failure to Restrict URL Access

Frequently an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Reporting Security Vulnerabilities

If you need to report a security vulnerability, please head over to Odoo's responsible disclosure page. These reports are treated with high priority, the problem is immediately assessed and solved by the Odoo security team, in collaboration with the reporter, and then disclosed in a responsible manner to Odoo customers and users.