Any user can read the hashed password
While reading [1], I was wondering if trytond was also affected.
Indeed series <=3.0 are not affected but rc9be44cd05e1 removed the protection by mistake. The new password_hash field did not received the same hiding treatment as the password field.
The exploitation is quite difficult because of the existing protections against such leak. The protections are the usage of strong hash (bcrypt and sha1) and the random salt.
[1] https://github.com/odoo/odoo/issues/13175