PatchSiren cyber security CVE debrief
CVE-2026-46645 smithyhq CVE debrief
CVE-2026-46645 is a MEDIUM severity vulnerability in SQLAdmin versions prior to 0.25.1. The ajax_lookup endpoint bypassed access control checks, allowing data access despite model restrictions. Patched in version 0.25.1.
- Vendor
- smithyhq
- Product
- sqladmin
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Developers using SQLAdmin, especially those who have restricted model access via is_accessible() overrides.
Technical summary
The ajax_lookup endpoint in SQLAdmin's application.py file did not enforce the is_accessible() access control check, unlike other endpoints. This allowed authenticated users to query data from models that were otherwise restricted.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to SQLAdmin version 0.25.1 or later.
- Review and adjust model access controls, especially if using is_accessible() overrides.
Evidence notes
CVE-2026-46645 was published on [cvePublishedAt] and modified on [cveModifiedAt].
Official resources
CVE-2026-46645 was published on 2026-06-10T23:16:47.310Z and modified on 2026-06-11T15:30:51.693Z.