Sqladmin
by Smithyhq
Source repositories
CVEs (1)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46645 | 0.00 | — | — | May 21, 2026 | ### Impact The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce. If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction. **Affected endpoint:** `GET /{identity}/ajax/lookup?name=&term=` **All other endpoints enforce both checks:** | Endpoint | `@login_required` | `is_accessible()` | |---|---|---| | `list` | ✓ | ✓ | | `create` | ✓ | ✓ | | `edit` | ✓ | ✓ | | `delete` | ✓ | ✓ | | `details` | ✓ | ✓ | | `export` | ✓ | ✓ | | `ajax_lookup` (before fix) | ✗ | ✗ | | `ajax_lookup` (after fix) | ✓ | ✓ | Note: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users. ### Patches Two changes were made to `ajax_lookup`: 1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints. 2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`. ### Workarounds None. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place. |
- CVE-2026-46645May 21, 2026risk 0.00cvss —epss —
### Impact The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce. If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction. **Affected endpoint:** `GET /{identity}/ajax/lookup?name=&term=` **All other endpoints enforce both checks:** | Endpoint | `@login_required` | `is_accessible()` | |---|---|---| | `list` | ✓ | ✓ | | `create` | ✓ | ✓ | | `edit` | ✓ | ✓ | | `delete` | ✓ | ✓ | | `details` | ✓ | ✓ | | `export` | ✓ | ✓ | | `ajax_lookup` (before fix) | ✗ | ✗ | | `ajax_lookup` (after fix) | ✓ | ✓ | Note: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users. ### Patches Two changes were made to `ajax_lookup`: 1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints. 2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`. ### Workarounds None. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place.