CVE-2026-48772
CVE-2026-48772 is a critical-severity vulnerability with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-348.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 0% (8th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38074
- Weakness: CWE-348
- Published:
- Last modified:
Description
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>\r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session's `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = '*'` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.
Frequently asked questions
- What is CVE-2026-48772?
- ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>\r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session's `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = '*'` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.
- How severe is CVE-2026-48772?
- CVE-2026-48772 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-48772 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (8th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-48772?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-48772 have an EU (EUVD) identifier?
- Yes. CVE-2026-48772 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38074.
- When was CVE-2026-48772 published?
- CVE-2026-48772 was published on 2026-06-19 and last updated on 2026-06-23.
References
- https://github.com/sysown/proxysql/releases/tag/v3.0.9
- https://github.com/sysown/proxysql/security/advisories/GHSA-gw94-85m2-x8v2
Other CWE-348 vulnerabilities
- CVE-2026-12249 — Critical (CVSS 9.0): An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate…
- CVE-2025-69240 — High (CVSS 8.8): Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker…
- CVE-2025-55292 — High (CVSS 8.2): Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by…
- CVE-2026-43634 — High (CVSS 7.5): HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers…
- CVE-2026-35391 — High (CVSS 7.5): Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function…
- CVE-2025-27913 — High (CVSS 7.5): Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of…