CVE-2026-46645

SQLAdmin (for SQLAlchemy) contains an authorization bypass in the ajax_lookup endpoint prior to version 0.25.1, where is_accessible() is bypassed, allowing an authenticated user to query a model’s data despite access restrictions. The issue affects ajax_lookup specifically and was mitigated by pa...