CVE-2026-46645

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Impact

The ajax lookup endpoint in application.py bypasses the is accessible() access control check that all other endpoints enforce.

If a developer restricts model access by overriding is accessible(), an authenticated user can still query that model's data through the ajax lookup endpoint — silently bypassing the restriction.

Affected endpoint:

GET /{identity}/ajax/lookup?name=<field>&term=<query>

All other endpoints enforce both checks:

Endpoint	`@login required`	`is accessible()`
`list`	✓	✓
`create`	✓	✓
`edit`	✓	✓
`delete`	✓	✓
`details`	✓	✓
`export`	✓	✓
`ajax lookup` (before fix)	✗	✗
`ajax lookup` (after fix)	✓	✓

Note: before this fix, ajax lookup also lacked the @login required decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users.

Patches

Two changes were made to ajax lookup:

Replaced the hand-rolled authentication check added in #1035 with the standard @login required decorator used by all other endpoints.
Added the missing is accessible(request) check, raising HTTP 403 when it returns False.

Workarounds

None. Developers relying on is accessible() to restrict model visibility are exposed regardless of what other access controls are in place.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-46645

GHSA-54MC-GGHV-4CFJ

Affected Products

Sqladmin

CVE-2026-46645

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 4