CVE-2026-46645: CWE-862: Missing Authorization in smithyhq sqladmin
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.
AI Analysis
Technical Summary
The vulnerability in smithyhq sqladmin affects versions before 0.25.1. The ajax_lookup endpoint in application.py does not enforce the is_accessible() access control check, which is used by other endpoints to restrict model access. As a result, authenticated users can silently bypass these restrictions and query data they should not have access to. The issue is classified as CWE-862 (Missing Authorization). It has been patched in version 0.25.1.
Potential Impact
An authenticated user can bypass intended access controls on SQLAlchemy models by querying data through the ajax_lookup endpoint, potentially exposing sensitive information. The impact is limited to confidentiality (partial data disclosure) without affecting integrity or availability.
Mitigation Recommendations
Upgrade smithyhq sqladmin to version 0.25.1 or later, where the ajax_lookup endpoint enforces the is_accessible() access control check. Patch status is confirmed by the vendor advisory indicating the issue is fixed in 0.25.1.
CVE-2026-46645: CWE-862: Missing Authorization in smithyhq sqladmin
Description
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.
CVSS v3.1
Score 4.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in smithyhq sqladmin affects versions before 0.25.1. The ajax_lookup endpoint in application.py does not enforce the is_accessible() access control check, which is used by other endpoints to restrict model access. As a result, authenticated users can silently bypass these restrictions and query data they should not have access to. The issue is classified as CWE-862 (Missing Authorization). It has been patched in version 0.25.1.
Potential Impact
An authenticated user can bypass intended access controls on SQLAlchemy models by querying data through the ajax_lookup endpoint, potentially exposing sensitive information. The impact is limited to confidentiality (partial data disclosure) without affecting integrity or availability.
Mitigation Recommendations
Upgrade smithyhq sqladmin to version 0.25.1 or later, where the ajax_lookup endpoint enforces the is_accessible() access control check. Patch status is confirmed by the vendor advisory indicating the issue is fixed in 0.25.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T20:11:54.584Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a2a11483187570649da2057
Added to database: 6/11/2026, 1:37:12 AM
Last enriched: 6/11/2026, 1:45:22 AM
Last updated: 6/11/2026, 9:15:22 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.