İçereği Atla
Bu soru işaretlendi
security
2 Cevaplar
665 Görünümler
Avatar
Razan Saleh

Hello,

We recently engaged a third-party company to do some needed customizations on our account. Unfortunately, the engagement did not proceed as expected. 

As a precaution, we have already revoked their access to our Odoo environment and all related systems, changed all passwords, and reviewed user permissions. However, we remain concerned about the possibility that they may have implemented unauthorized modifications, hidden administrative accounts, backdoors, custom code, scheduled jobs, API integrations, or other mechanisms that could allow future access or negatively impact our operations.

We would appreciate your guidance on the following:

1. What risks should we realistically be concerned about in this situation?

2. What steps can we take to verify that our Odoo environment is secure and free from any unauthorized access mechanisms?

3. Are there specific audits, logs, security reviews, or code inspections that you would recommend?

4. Would creating a completely new Odoo instance and migrating all data and customizations to it eliminate these risks, or could vulnerabilities be transferred as part of the migration?

5. Are there any additional best practices we should follow to ensure the integrity and security of our system going forward?


Avatar
Vazgeç
Codesphere Tech

Hello
This is a serious situation, and your proactive steps—revoking access, rotating credentials, and reviewing permissions—were exactly the right first moves to contain the immediate risk.
Realistic Risks to Consider:
-> Hidden lines of code (in custom modules) that create new administrator users or allow remote command execution.
-> Malicious automated tasks that periodically exfiltrate data, delete logs, or create new unauthorized users.(schedule actions)
-> New endpoints created to transmit data to an external server.
-> Users created with low-privilege names that have hidden "Superuser" or "Administrator" access rights.
-> Code designed to subtly alter accounting entries, inventory counts, or pricing at a future date.
Let me know if you need any help on this
I'm happy to help you in this situation.
Thanks

Avatar
Cybrosys Techno Solutions Pvt.Ltd
En İyi Yanıt
Hi,

The level of risk depends on the type of access the third-party company had. If they only had administrator access within Odoo, the main concerns are hidden users, modified access rights, automated actions, scheduled jobs, API keys, webhooks, or unauthorized integrations. If they had server-level access, such as SSH access, database access, Odoo.sh access, or access to your source code repository, the risks are higher because they could have deployed custom code, created backdoors, modified infrastructure settings, or extracted data.

To verify that your environment is secure, review all users, permissions, API keys, OAuth applications, scheduled actions, automated actions, webhooks, email aliases, and installed modules. Enable Developer Mode and inspect all technical settings for customizations or integrations that were added during the engagement. If you have access to the source code or server, conduct a code audit, review Git history, and examine Odoo, web server, and database logs for suspicious activity.

Creating a new Odoo instance can reduce risk, but only if you migrate data selectively and reinstall only trusted modules and reviewed customizations. Simply restoring the existing database or codebase may transfer the same vulnerabilities or unauthorized changes to the new environment.

Going forward, follow security best practices such as granting external consultants only the minimum required permissions, using separate user accounts, enabling multi-factor authentication, maintaining your own version-controlled code repository, documenting all customizations, and performing regular security audits. If you have serious concerns about the integrity of your environment, consider engaging an independent Odoo partner or security specialist to perform a comprehensive review.

Hope it helps

Avatar
Vazgeç
Avatar
Zehntech Technologies Inc.
En İyi Yanıt

Hello,

Your concerns are valid, especially after third-party customizations. In Odoo, the main areas to review would typically include:

• User accounts and access groups (including inactive/admin users)

• Custom modules and code changes introduced during the engagement

• Scheduled actions (cron jobs), server actions, and automated scripts

• API keys, webhooks, external integrations, and connected services

• Audit logs and recent activity history

• Database-level changes and custom security rules

Creating a new Odoo instance can reduce risk, but simply migrating existing customizations without reviewing them may transfer the same vulnerabilities. Data migration itself is generally safer than blindly moving custom code and integrations.

As a best practice, perform a full security and customization audit, validate all deployed modules, enforce least-privilege access, enable stronger authentication practices, and maintain proper documentation/change control going forward.

Hope this works for you! If you need any help implementing this or want a more optimized approach, feel free to reach out for further discussion.

Regards,

Zehntech Technologies Inc.

santosh.sekwadia@zehntech.com

Avatar
Vazgeç
İlgili Gönderiler Cevaplar Görünümler Aktivite
Local Odoo 19 Database: Inventory not showing on Hand?
security
Avatar
0
Nis 26
5
User: Access Rules Not Updating After Sales Unit Change
security
Avatar
0
Mar 26
3
cubic milimeters to cubic meters conversion
security
Avatar
0
Mar 26
4
Mac Id restriction for Users in Odoo enterprise Çözüldü
security
Avatar
Avatar
1
Ara 25
1834
what is the differance between access right and record rules in odoo ? Çözüldü
security
Avatar
Avatar
Avatar
Avatar
Avatar
5
Eyl 25
18505