CVE-2026-46645

SQLAdmin: Authorization Bypass on `ajax_lookup`

CVSS 4.3 MEDIUMEPSS 0.3%CWE-862

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

smithyhq · sqladmin

public PoCs found — 1

githubgithub.com/rootdirective-sec/CVE-2026-46645-Analysis-Lab★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/smithyhq/sqladmin/commit/b0d3a19fb9b074a9ed243de46930108375dfbb98 https://github.com/smithyhq/sqladmin/pull/1035 https://github.com/smithyhq/sqladmin/releases/tag/0.25.1 https://github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj