Skip to Content
This question has been flagged
security
1 Reply
57 Views
Avatar
Razan Saleh

Hello,

We recently engaged a third-party company to do some needed customizations on our account. Unfortunately, the engagement did not proceed as expected. 

As a precaution, we have already revoked their access to our Odoo environment and all related systems, changed all passwords, and reviewed user permissions. However, we remain concerned about the possibility that they may have implemented unauthorized modifications, hidden administrative accounts, backdoors, custom code, scheduled jobs, API integrations, or other mechanisms that could allow future access or negatively impact our operations.

We would appreciate your guidance on the following:

1. What risks should we realistically be concerned about in this situation?

2. What steps can we take to verify that our Odoo environment is secure and free from any unauthorized access mechanisms?

3. Are there specific audits, logs, security reviews, or code inspections that you would recommend?

4. Would creating a completely new Odoo instance and migrating all data and customizations to it eliminate these risks, or could vulnerabilities be transferred as part of the migration?

5. Are there any additional best practices we should follow to ensure the integrity and security of our system going forward?


Avatar
Discard
Codesphere Tech

Hello
This is a serious situation, and your proactive steps—revoking access, rotating credentials, and reviewing permissions—were exactly the right first moves to contain the immediate risk.
Realistic Risks to Consider:
-> Hidden lines of code (in custom modules) that create new administrator users or allow remote command execution.
-> Malicious automated tasks that periodically exfiltrate data, delete logs, or create new unauthorized users.(schedule actions)
-> New endpoints created to transmit data to an external server.
-> Users created with low-privilege names that have hidden "Superuser" or "Administrator" access rights.
-> Code designed to subtly alter accounting entries, inventory counts, or pricing at a future date.
Let me know if you need any help on this
I'm happy to help you in this situation.
Thanks

Avatar
Zehntech Technologies Inc.
Best Answer

Hello,

Your concerns are valid, especially after third-party customizations. In Odoo, the main areas to review would typically include:

• User accounts and access groups (including inactive/admin users)

• Custom modules and code changes introduced during the engagement

• Scheduled actions (cron jobs), server actions, and automated scripts

• API keys, webhooks, external integrations, and connected services

• Audit logs and recent activity history

• Database-level changes and custom security rules

Creating a new Odoo instance can reduce risk, but simply migrating existing customizations without reviewing them may transfer the same vulnerabilities. Data migration itself is generally safer than blindly moving custom code and integrations.

As a best practice, perform a full security and customization audit, validate all deployed modules, enforce least-privilege access, enable stronger authentication practices, and maintain proper documentation/change control going forward.

Hope this works for you! If you need any help implementing this or want a more optimized approach, feel free to reach out for further discussion.

Regards,

Zehntech Technologies Inc.

santosh.sekwadia@zehntech.com

Avatar
Discard
Related Posts Replies Views Activity
Local Odoo 19 Database: Inventory not showing on Hand?
security
Avatar
0
Apr 26
5
User: Access Rules Not Updating After Sales Unit Change
security
Avatar
0
Mar 26
3
cubic milimeters to cubic meters conversion
security
Avatar
0
Mar 26
4
Mac Id restriction for Users in Odoo enterprise Solved
security
Avatar
Avatar
1
Dec 25
1577
what is the differance between access right and record rules in odoo ? Solved
security
Avatar
Avatar
Avatar
Avatar
Avatar
5
Sep 25
18300