CVE-2026-46645
Received Received - Intake
SQLAdmin Admin Interface Access Bypass via ajax_lookup

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint β€” silently bypassing the restriction. This issue has been patched in version 0.25.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46645
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sqladmin sqladmin to 0.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in SQLAdmin versions prior to 0.25.1, specifically in the ajax_lookup endpoint within application.py. This endpoint bypasses the is_accessible() access control check that other endpoints enforce. As a result, if a developer restricts access to certain models by overriding is_accessible(), an authenticated user can still query data from those models through the ajax_lookup endpoint without restriction.

Impact Analysis

This vulnerability allows authenticated users to silently bypass access control restrictions on certain data models. Consequently, users may gain unauthorized read access to sensitive data that should have been restricted, potentially leading to data exposure.

Mitigation Strategies

To mitigate this vulnerability, upgrade SQLAdmin to version 0.25.1 or later, where the ajax_lookup endpoint properly enforces the is_accessible() access control check.

Compliance Impact

This vulnerability allows authenticated users to bypass access control restrictions and query data models that should be restricted. Such unauthorized data access could lead to exposure of sensitive personal or protected health information.

As a result, organizations using affected versions of SQLAdmin may face challenges in maintaining compliance with data protection regulations like GDPR and HIPAA, which require strict access controls to protect personal and health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart