Security

Odoo XML-RPC Security: Locking Down Your API Surface

Odoo's XML-RPC API is the most exposed attack surface in most deployments. Learn how to harden it against credential stuffing, data exfiltration, and abuse.

NonaGuard Admin

1 min read
a close up of a padlock on a door
Photo by Mick Haupt on Unsplash

The XML-RPC endpoint at /xmlrpc/2/ is Odoo's programmatic interface. It allows full CRUD operations on any model the authenticated user has access to — which makes it extraordinarily powerful and equally dangerous when left unprotected.

The Attack Surface

By default, Odoo's XML-RPC endpoint is:

  • Publicly accessible — Anyone on the internet can attempt authentication
  • Unlimited in rate — No built-in rate limiting on login attempts
  • Full database access — Once authenticated, the API exposes every model the user can access
  • Brute-force friendly — No account lockout after failed attempts

Hardening Steps

1. IP Whitelisting

The most effective protection is restricting XML-RPC access to known IP addresses at the reverse proxy level. In Nginx:

💡 Want to check your Odoo instance for the issues described above? NonaGuard's automated security audit covers all of these checks and more — in under 60 seconds.

location /xmlrpc/ {
    allow 10.0.0.0/8;       # Internal network
    allow 203.0.113.50;      # NonaGuard scanner
    deny all;
    proxy_pass http://odoo;
}

2. API Key Authentication

From Odoo 14+, encourage users to use API keys instead of passwords for XML-RPC access. API keys can be revoked independently without changing the user's login password.

3. Rate Limiting

Add rate limiting at the reverse proxy level to prevent credential stuffing attacks. A reasonable limit is 10 requests per second per IP address to the /xmlrpc/ path.

4. Monitoring

Log and alert on XML-RPC authentication failures. A sudden spike in failed authentication attempts is a strong indicator of an active attack.

5. Disable If Unused

If your deployment doesn't need external API access, block the /xmlrpc/ path entirely at the reverse proxy. This eliminates the entire attack surface.

NonaGuard checks your XML-RPC configuration, detects unprotected endpoints, and flags instances where the API surface is unnecessarily exposed. Run a free API security scan.

🛡️ Check Your Odoo Security Posture

NonaGuard scans for permission vulnerabilities, exposed API surfaces, missing 2FA, and 200+ other security checks. Get your security score in under 60 seconds.

Run a Free Security Scan →

Read more