VYPR
← All advisories
Medium severity4.3GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

SQLAdmin: Authorization Bypass on `ajax_lookup`

CVE-2026-46645

Description

Impact

The ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce.

If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction.

Affected endpoint:

GET /{identity}/ajax/lookup?name=&term=

All other endpoints enforce both checks:

| Endpoint | @login_required | is_accessible() | |---|---|---| | list | ✓ | ✓ | | create | ✓ | ✓ | | edit | ✓ | ✓ | | delete | ✓ | ✓ | | details | ✓ | ✓ | | export | ✓ | ✓ | | ajax_lookup (before fix) | ✗ | ✗ | | ajax_lookup (after fix) | ✓ | ✓ |

Note: before this fix, ajax_lookup also lacked the @login_required decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users.

Patches

Two changes were made to ajax_lookup:

  1. Replaced the hand-rolled authentication check added in #1035 with the standard @login_required decorator used by all other endpoints.
  2. Added the missing is_accessible(request) check, raising HTTP 403 when it returns False.

Workarounds

None. Developers relying on is_accessible() to restrict model visibility are exposed regardless of what other access controls are in place.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The ajax_lookup endpoint in sqladmin bypasses the is_accessible() access control, allowing authenticated but unauthorized users to query restricted model data.

Vulnerability

The ajax_lookup endpoint in sqladmin's application.py lacked both the @login_required decorator and the is_accessible() check that all other administrative endpoints enforce. This allowed unauthenticated and authenticated but unauthorized users to query any model's data via GET /{identity}/ajax/lookup?name=&term= [1][2].

Exploitation

An attacker with any authenticated session could craft a request to the ajax_lookup endpoint with a term parameter to retrieve data from models that the developer had restricted by overriding is_accessible(). No special privileges beyond authentication were required [1]. Prior to this fix, the endpoint also lacked authentication entirely, but that was partially addressed in pull request #1035 [3].

Impact

Developers relying on is_accessible() to restrict model visibility are exposed. An authenticated user can silently bypass the intended access control and query sensitive model data, potentially leading to unauthorized information disclosure [1][2].

Mitigation

The fix applies the standard @login_required decorator and adds an explicit is_accessible(request) check, returning HTTP 403 when access is denied [1]. No workarounds exist; developers must update to the patched version to close the gap [2].

References
  1. CVE-2026-46645 - GitHub Advisory Database
  2. Authorization Bypass on `ajax_lookup`
  3. fix: authenticate ajax lookup endpoint by vahidzhe · Pull Request #1035 · smithyhq/sqladmin

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.