CVE Catalog

CVE-2026-46645

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

8th percentile — higher than 8% of all known CVEs

Summary

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check, allowing authenticated users to access model data despite restrictions set by developers.

Risk Assessment

The organization may be exposed to unauthorized access to model data, potentially leading to information leaks or privacy violations.

Recommendation

It is recommended to upgrade to version 0.25.1 or later to mitigate this security vulnerability.

Original NVD description (English source)

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS