GHSA-54mc-gghv-4cfj
SQLAdmin: Authorization Bypass on `ajax_lookup`
Details
### Impact
The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce.
If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction.
**Affected endpoint:**
`GET /{identity}/ajax/lookup?name=<field>&term=<query>`
**All other endpoints enforce both checks:**
| Endpoint | `@login_required` | `is_accessible()` | |---|---|---| | `list` | ✓ | ✓ | | `create` | ✓ | ✓ | | `edit` | ✓ | ✓ | | `delete` | ✓ | ✓ | | `details` | ✓ | ✓ | | `export` | ✓ | ✓ | | `ajax_lookup` (before fix) | ✗ | ✗ | | `ajax_lookup` (after fix) | ✓ | ✓ |
Note: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users.
### Patches
Two changes were made to `ajax_lookup`:
1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints. 2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`.
### Workarounds
None. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-46645 [ADVISORY]
- https://github.com/smithyhq/sqladmin/pull/1035 [WEB]
- https://github.com/smithyhq/sqladmin/commit/b0d3a19fb9b074a9ed243de46930108375dfbb98 [WEB]
- https://github.com/smithyhq/sqladmin [PACKAGE]
- https://github.com/smithyhq/sqladmin/releases/tag/0.25.1 [WEB]