CVE-2026-46645: SQLAdmin: Authorization Bypass on `ajax_lookup`
(updated )
The ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce.
If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model’s data through the ajax_lookup endpoint — silently bypassing the restriction.
Affected endpoint:
GET /{identity}/ajax/lookup?name=<field>&term=<query>
All other endpoints enforce both checks:
| Endpoint | @login_required | is_accessible() |
|---|---|---|
list | ✓ | ✓ |
create | ✓ | ✓ |
edit | ✓ | ✓ |
delete | ✓ | ✓ |
details | ✓ | ✓ |
export | ✓ | ✓ |
ajax_lookup (before fix) | ✗ | ✗ |
ajax_lookup (after fix) | ✓ | ✓ |
Note: before this fix, ajax_lookup also lacked the @login_required decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users.
References
- github.com/advisories/GHSA-54mc-gghv-4cfj
- github.com/smithyhq/sqladmin/commit/b0d3a19fb9b074a9ed243de46930108375dfbb98
- github.com/smithyhq/sqladmin/pull/1035
- github.com/smithyhq/sqladmin/releases/tag/0.25.1
- github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj
- nvd.nist.gov/vuln/detail/CVE-2026-46645
Code Behaviors & Features
Detect and mitigate CVE-2026-46645 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →