Security Release for issue7766


A vulnerability in trytond, the core package of Tryton, has been found by Cédric Krier.
The issue7766 shows that it is possible for an authenticated user to guess the value of a field for which he has no access right no matter if it is at the model or the field level. The procedure is to make dichotomous search queries on the model using a domain clause on the field equals value until the search returns the id.


CVSS v3.0 Base Score: 6.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None


There are no known workarounds.


All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.0: <=5.0.0
  • 4.8: <=4.8.4
  • 4.6: <=4.6.8
  • 4.4: <=4.4.13
  • 4.2: <=4.2.15
  • 4.0: <=4.0.19

Non affected versions per series:

  • 5.0: >=5.0.1
  • 4.8: >=4.8.5
  • 4.6: >=4.6.9
  • 4.4: >=4.4.14
  • 4.2: >=4.2.16
  • 4.0: >=4.0.20



Any security concerns should be reported on the bug-tracker at with the type security .


The module stock_supply received a fix that break the policy of not XML data changes in series. This is to give read access to “Stock Administrator” group for purchase requests in order to run the supply wizard without error.