SQLAdmin: Authorization Bypass on `ajax_lookup`
CVE-2026-46645

4.3MEDIUM

Key Information:

Vendor

Smithyhq

Status
Sqladmin
Vendor
CVE Published:
10 June 2026

What is CVE-2026-46645?

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

Affected Version(s)

sqladmin < 0.25.1

References

https://github.com/smithyhq/sqladmin/security/advisories/...
x_refsource_CONFIRM
https://github.com/smithyhq/sqladmin/pull/1035
x_refsource_MISC
https://github.com/smithyhq/sqladmin/commit/b0d3a19fb9b07...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.