PatchSiren cyber security CVE debrief
CVE-2026-48772 sysown CVE debrief
CVE-2026-48772 is a critical vulnerability in ProxySQL, a proxy for MySQL and PostgreSQL. Versions 2.0.0 through 3.0.8 are affected, allowing an attacker to spoof their source IP address and bypass routing and ACL rules. This issue is particularly severe as it enables an attacker to forge their way into routes typically restricted to specific IP addresses, potentially gaining unauthorized access to sensitive data or operations. The vulnerability has been patched in version 3.0.9.
- Vendor
- sysown
- Product
- proxysql
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-06-22
Who should care
System administrators and security professionals managing ProxySQL instances, especially those using versions 2.0.0 through 3.0.8, should be aware of this vulnerability. This includes organizations relying on ProxySQL for database access control, read-write splitting, per-app schema pinning, and query-filter rules. Given the critical nature of this vulnerability, immediate attention is required to mitigate potential risks.
Technical summary
The ProxySQL MySQL frontend incorrectly handles the PROXY protocol header, specifically the UNKNOWN token, allowing an attacker to spoof their source IP address. By sending a specially crafted PP1 frame, an attacker can influence the query-rule matcher and gain unauthorized access to restricted routes. This is possible because ProxySQL does not properly ignore address fields following the UNKNOWN token, as required by the HAProxy PROXY protocol v1 specification. The issue directly impacts the session's addr.addr field, which is used for routing and ACL decisions.
Defensive priority
High priority due to the critical CVSS score of 10 and the potential for significant impact on database security and access control.
Recommended defensive actions
- Immediately upgrade to ProxySQL version 3.0.9 or later to patch the vulnerability.
- Review and restrict access to the ProxySQL frontend port to limit exposure.
- Verify that mysql-proxy_protocol_networks is set appropriately to restrict allowed networks.
- Review query rules and ACLs to ensure they are not overly permissive.
- Monitor for suspicious activity related to ProxySQL.
Evidence notes
The primary evidence for this vulnerability comes from the official CVE record and the NVD detail page. The CVE description outlines the technical details of the vulnerability, including how ProxySQL mishandles the PROXY protocol header. The NVD provides additional context, including the CVSS score and vector. The vendor has released a patch for this issue in version 3.0.9, which is available on GitHub.
Official resources
This article is AI-assisted and based on the supplied source corpus.