8 matches found
Exploit for CVE-2026-46645
CVE-2026-46645 - SQLAdmin ajaxlookup Authorization Bypass...
CVE-2026-46645
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible, an authenticated user...
EUVD-2026-36168
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible, an authenticated user...
CVE-2026-46645 SQLAdmin: Authorization Bypass on `ajax_lookup`
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible, an authenticated user...
CVE-2026-46645
SQLAdmin (for SQLAlchemy) contains an authorization bypass in the ajax_lookup endpoint prior to version 0.25.1, where is_accessible() is bypassed, allowing an authenticated user to query a model’s data despite access restrictions. The issue affects ajax_lookup specifically and was mitigated by pa...
arpakitlib (>=1.9.5 <=1.9.50), blog-coeur (>=0.0.14 <=0.0.19) +8 more potentially affected by CVE-2026-46645 via sqladmin (>=0.13.0 <=0.24.0)
sqladmin PYPI version =0.13.0, =1.9.5, =0.0.14, =0.0.1, =0.0.22, =0.0.1a1, =0.0.1, =0.1.0, =0.1.2, =0.0.21, =0.0.23 Source cves: CVE-2026-46645 Source advisory: OSV:GHSA-54MC-GGHV-4CFJ...
GHSA-54MC-GGHV-4CFJ SQLAdmin: Authorization Bypass on `ajax_lookup`
Impact The ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible, an authenticated user can still query that model's data through the ajaxlookup endpoint — silently...
Missing Authorization
Overview sqladmin is a SQLAlchemy admin for FastAPI and Starlette Affected versions of this package are vulnerable to Missing Authorization in the ajaxlookup endpoint due to missing enforcement of access control checks. An attacker can access restricted model data by sending requests to the...