CVE-2026-48772

Source
https://cve.org/CVERecord?id=CVE-2026-48772
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48772.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48772
Aliases
  • GHSA-gw94-85m2-x8v2
Published
2026-06-19T19:28:46.248Z
Modified
2026-07-08T08:12:47.294425Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
ProxySQL: PROXY-Protocol-v1 UNKNOWN parses spoofed source IP, bypassing mysql_query_rules.client_addr ACL
Details

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the PROXY UNKNOWN <addr> <addr> <port> <port>\r\n PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is UNKNOWN, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via sscanf and writes the spoofed source address into the session's addr.addr field. From there it flows directly into the query-rule matcher, where the client_addr predicate decides routing and ACL. When mysql-proxy_protocol_networks = '*' (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any mysql_query_rules row pinned to a client_addr value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use client_addr for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48772.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-348",
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/sysown/proxysql

Affected ranges

Type
GIT
Repo
https://github.com/sysown/proxysql
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "3.0.9"
        }
    ]
}

Affected versions

2.*
2.0.0
2.0.1
2.0.10
2.0.11
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.2.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.6.0
3.*
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.8
3.0.9
v2.*
v2.0.0-beta.1
v2.0.0-rc2
v2.0.1
v2.0.10
v2.0.18
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.2.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v3.*
v3.0.0-alpha
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.1.6
v3.1.7
v3.1.8
v4.*
v4.0.6
v4.0.7
v4.0.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48772.json"