chore(deps): update dependency sqladmin to v0.25.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
sqladmin	0.25.0 → 0.25.1

---

SQLAdmin: Authorization Bypass on ajax_lookup

CVE-2026-46645 / GHSA-54mc-gghv-4cfj

More information

Details

Impact

The ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce.

If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint — silently bypassing the restriction.

Affected endpoint:

GET /{identity}/ajax/lookup?name=<field>&term=<query>

All other endpoints enforce both checks:

Endpoint	@login_required	is_accessible()
list	✓	✓
create	✓	✓
edit	✓	✓
delete	✓	✓
details	✓	✓
export	✓	✓
ajax_lookup (before fix)	✗	✗
ajax_lookup (after fix)	✓	✓

Note: before this fix, ajax_lookup also lacked the @login_required decorator — unauthenticated users could query it directly. That was addressed in #​1035. This report covers the remaining gap: authenticated but unauthorized users.

Patches

Two changes were made to ajax_lookup:

1. Replaced the hand-rolled authentication check added in #​1035 with the standard @login_required decorator used by all other endpoints.
2. Added the missing is_accessible(request) check, raising HTTP 403 when it returns False.

Workarounds

None. Developers relying on is_accessible() to restrict model visibility are exposed regardless of what other access controls are in place.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/smithyhq/sqladmin/security/advisories/GHSA-54mc-gghv-4cfj
• https://github.com/smithyhq/sqladmin/pull/1035
• https://github.com/advisories/GHSA-54mc-gghv-4cfj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

smithyhq/sqladmin (sqladmin)

v0.25.1

Compare Source

Fixed

• fix: authenticate ajax lookup endpoint by @​vahidzhe in #​1035
• fix: Authorization bypass on ajax_lookup

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

🟢 Coverage ∅ diff coverage · +0.00% coverage variation

Metric	Results
Coverage variation	✅ +0.00% coverage variation (-1.00%)
Diff coverage	✅ ∅ diff coverage

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (41298bd)	2524	2524	100.00%
Head commit (59c3b71)	2524 (+0)	2524 (+0)	100.00% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#850)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}