ByteOS Network

NVD Vulnerability Details :

CVE-2026-46645

Received

Source-security-advisories@github.com

Published At-10 Jun, 2026 | 23:16

Updated At-10 Jun, 2026 | 23:16

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-862	Primary	security-advisories@github.com

CWE ID: CWE-862

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/smithyhq/sqladmin/commit/b0d3a19fb9b074a9ed243de46930108375dfbb98	security-advisories@github.com	N/A
https://github.com/smithyhq/sqladmin/pull/1035	security-advisories@github.com	N/A
https://github.com/smithyhq/sqladmin/releases/tag/0.25.1	security-advisories@github.com	N/A
https://github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj	security-advisories@github.com	N/A