Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-54mc-gghv-4cfj | SQLAdmin: Authorization Bypass on `ajax_lookup` |
Thu, 11 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 11 Jun 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Smithyhq
Smithyhq sqladmin |
|
| Vendors & Products |
Smithyhq
Smithyhq sqladmin |
Wed, 10 Jun 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1. | |
| Title | SQLAdmin: Authorization Bypass on `ajax_lookup` | |
| Weaknesses | CWE-862 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-11T16:14:04.832Z
Reserved: 2026-05-15T20:11:54.584Z
Link: CVE-2026-46645
Updated: 2026-06-11T14:49:10.749Z
Status : Deferred
Published: 2026-06-10T23:16:47.310
Modified: 2026-06-11T15:30:51.693
Link: CVE-2026-46645
No data.
OpenCVE Enrichment
Updated: 2026-06-11T10:40:28Z
Github GHSA