CVE-2026-46645
MEDIUM4.3SQLAdmin: Authorization Bypass on `ajax_lookup`
描述
### Impact The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce. If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction. **Affected endpoint:** `GET /{identity}/ajax/lookup?name=<field>&term=<query>` **All other endpoints enforce both checks:** | Endpoint | `@login_required` | `is_accessible()` | |---|---|---| | `list` | ✓ | ✓ | | `create` | ✓ | ✓ | | `edit` | ✓ | ✓ | | `delete` | ✓ | ✓ | | `details` | ✓ | ✓ | | `export` | ✓ | ✓ | | `ajax_lookup` (before fix) | ✗ | ✗ | | `ajax_lookup` (after fix) | ✓ | ✓ | Note: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users. ### Patches Two changes were made to `ajax_lookup`: 1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints. 2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`. ### Workarounds None. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place.
受影響套件(1)
- PyPI/sqladminfrom 0, < 0.25.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |