CVE-2026-46645

MEDIUM LAB

SQLAdmin: Authorization Bypass on `ajax_lookup`

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46645. PoCs published by rootdirective-sec.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-46645, demonstrating an authorization bypass in SQLAdmin's ajax_lookup endpoint. It includes a Docker lab with vulnerable and patched versions, along with a Python script to reproduce the issue.

Description

SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction. This issue has been patched in version 0.25.1.

Exploits (1)

github WORKING POC

by rootdirective-sec · pythonpoc

https://github.com/rootdirective-sec/CVE-2026-46645-Analysis-Lab

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-46645, demonstrating an authorization bypass in SQLAdmin's ajax_lookup endpoint. It includes a Docker lab with vulnerable and patched versions, along with a Python script to reproduce the issue.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: SQLAdmin 0.25.0

Auth required

Prerequisites: authenticated low-privileged user · restricted SQLAdmin ModelView

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Jun 12, 2026 Full analysis →

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj

X_Refsource_Misc x_refsource_misc

https://github.com/smithyhq/sqladmin/pull/1035

X_Refsource_Misc x_refsource_misc

https://github.com/smithyhq/sqladmin/commit/b0d3a19fb9b074a9ed243de46930108375dfbb98

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/smithyhq/sqladmin/releases/tag/0.25.1

Scores

CVSS v3 4.3

EPSS 0.0021

EPSS Percentile 11.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull cve-2026-46645-sqladmin-vuln:0.25.0

docker pull cve-2026-46645-sqladmin-patched:0.25.1

https://github.com/smithyhq/sqladmin

https://github.com/rootdirective-sec/CVE-2026-46645-Analysis-Lab

View in Library

Details

CWE

CWE-862

Status published

Products (2)

pypi/sqladmin 0 - 0.25.1PyPI

smithyhq/sqladmin < 0.25.1

Published Jun 10, 2026

Tracked Since Jun 11, 2026