CVE-2026-46645
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check, allowing authenticated users to access model data despite restrictions set by developers.
Risk Assessment
The organization may be exposed to unauthorized access to model data, potentially leading to information leaks or privacy violations.
Recommendation
It is recommended to upgrade to version 0.25.1 or later to mitigate this security vulnerability.
Original NVD description (English source)
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

