CVE-2026-46645
SQLAdmin: Authorization Bypass on `ajax_lookup`
Description
### Impact The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce. If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction. **Affected endpoint:** `GET /{identity}/ajax/lookup?name=<field>&term=<query>` **All other endpoints enforce both checks:** | Endpoint | `@login_required` | `is_accessible()` | |---|---|---| | `list` | ✓ | ✓ | | `create` | ✓ | ✓ | | `edit` | ✓ | ✓ | | `delete` | ✓ | ✓ | | `details` | ✓ | ✓ | | `export` | ✓ | ✓ | | `ajax_lookup` (before fix) | ✗ | ✗ | | `ajax_lookup` (after fix) | ✓ | ✓ | Note: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users. ### Patches Two changes were made to `ajax_lookup`: 1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints. 2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`. ### Workarounds None. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place.
How to fix CVE-2026-46645
To remediate CVE-2026-46645, upgrade the affected package to a fixed version below.
- —upgrade to 0.25.1 or later
Is CVE-2026-46645 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-46645.
Affected packages (1)
- from 0, < 0.25.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |