{"id":"GHSA-54mc-gghv-4cfj","summary":"SQLAdmin: Authorization Bypass on `ajax_lookup`","details":"### Impact\n\nThe `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce.\n\nIf a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction.\n\n**Affected endpoint:**\n\n`GET /{identity}/ajax/lookup?name=\u003cfield\u003e&term=\u003cquery\u003e`\n\n**All other endpoints enforce both checks:**\n\n| Endpoint | `@login_required` | `is_accessible()` |\n|---|---|---|\n| `list` | ✓ | ✓ |\n| `create` | ✓ | ✓ |\n| `edit` | ✓ | ✓ |\n| `delete` | ✓ | ✓ |\n| `details` | ✓ | ✓ |\n| `export` | ✓ | ✓ |\n| `ajax_lookup` (before fix) | ✗ | ✗ |\n| `ajax_lookup` (after fix) | ✓ | ✓ |\n\nNote: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users.\n\n### Patches\n\nTwo changes were made to `ajax_lookup`:\n\n1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints.\n2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`.\n\n### Workarounds\n\nNone. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place.","aliases":["CVE-2026-46645"],"modified":"2026-05-21T21:45:17.780992642Z","published":"2026-05-21T21:31:40Z","database_specific":{"severity":"MODERATE","github_reviewed_at":"2026-05-21T21:31:40Z","cwe_ids":["CWE-862"],"nvd_published_at":null,"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj"},{"type":"WEB","url":"https://github.com/smithyhq/sqladmin/pull/1035"},{"type":"PACKAGE","url":"https://github.com/smithyhq/sqladmin"}],"affected":[{"package":{"name":"sqladmin","ecosystem":"PyPI","purl":"pkg:pypi/sqladmin"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.25.1"}]}],"versions":["0.0.0","0.1.0","0.1.1","0.1.10","0.1.11","0.1.12","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.10.0","0.10.1","0.10.2","0.10.3","0.11.0","0.12.0","0.13.0","0.14.0","0.14.1","0.15.0","0.15.1","0.15.2","0.16.0","0.16.1","0.17.0","0.18.0","0.19.0","0.2.0","0.2.1","0.20.0","0.20.1","0.21.0","0.22.0","0.23.0","0.24.0","0.25.0","0.3.0","0.4.0","0.5.0","0.6.0","0.6.1","0.7.0","0.8.0","0.9.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-54mc-gghv-4cfj/GHSA-54mc-gghv-4cfj.json","last_known_affected_version_range":"\u003c= 0.25.0"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}