SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajaxlookup endpoint in application.py bypasses the isaccessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible(), an authenticated user can still query that model's data through the ajaxlookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46645.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-862"
]
}