ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the PROXY UNKNOWN \r\n PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is UNKNOWN, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via sscanf and writes the spoofed source address into the session's addr.addr field. From there it flows directly into the query-rule matcher, where the client_addr predicate decides routing and ACL. When mysql-proxy_protocol_networks = '*' (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any mysql_query_rules row pinned to a client_addr value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use client_addr for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.
CVE-2026-48772
This critical-severity CVE scores 10.0 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.2%, top 92% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 10.0
- EG Score
- 10.0(medium)
- EPSS
- 8.3%
- KEV
- Not listed
Published
June 19, 2026
Last Modified
June 23, 2026
Advisory Details (2)
Auto-updated Jun 30, 2026ProxySQL: PROXY-Protocol-v1 UNKNOWN parses spoofed source IP, bypassing mysql_query_rules.client_addr ACL · Advisory · sysown/proxysql · GitHub
https://github.com/sysown/proxysql/security/advisories/GHSA-gw94-85m2-x8v2ProxySQL 3.0.9
Patch available: sysown/proxysql v3.0.9
https://github.com/sysown/proxysql/releases/tag/v3.0.9Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 51× in last 7d / 129× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 129 total refreshes for this CVE.
- 2026-07-07 09:54 UTCEG score recompute
- 2026-07-07 06:11 UTCEG score recompute
- 2026-07-07 02:27 UTCEG score recompute
- 2026-07-06 22:40 UTCEG score recompute
- 2026-07-06 18:58 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 14:06 UTCEG score recompute
- 2026-07-06 10:19 UTCEG score recompute
- 2026-07-06 06:23 UTCEG score recompute
- 2026-07-06 02:26 UTCEG score recompute
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 22:42 UTCEG score recompute
- 2026-07-05 18:57 UTCEG score recompute
- 2026-07-05 15:14 UTCEG score recompute
- 2026-07-05 11:31 UTCEG score recompute
- 2026-07-05 07:48 UTCEG score recompute
- 2026-07-05 04:03 UTCEG score recompute
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-05 00:18 UTCEG score recompute
- 2026-07-04 20:36 UTCEG score recompute
- 2026-07-04 16:52 UTCEG score recompute
- 2026-07-04 12:59 UTCEG score recompute
- 2026-07-04 09:16 UTCEG score recompute
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 05:33 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-04 01:47 UTCEG score recompute
- 2026-07-03 22:04 UTCEG score recompute
- 2026-07-03 18:20 UTCEG score recompute
- 2026-07-03 14:35 UTCEG score recompute
- 2026-07-03 10:53 UTCEG score recompute
- 2026-07-03 06:48 UTCEG score recompute
- 2026-07-03 03:06 UTCEG score recompute
- 2026-07-02 23:20 UTCEG score recompute
- 2026-07-02 19:38 UTCEG score recompute
- 2026-07-02 15:55 UTCEG score recompute
- 2026-07-02 12:12 UTCEG score recompute
- 2026-07-02 08:28 UTCEG score recompute
- 2026-07-02 04:45 UTCEG score recompute
- 2026-07-02 01:03 UTCEG score recompute
- 2026-07-01 21:19 UTCEG score recompute
- 2026-07-01 17:37 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 13:53 UTCEG score recompute
- 2026-07-01 10:11 UTCEG score recompute
- 2026-07-01 06:29 UTCEG score recompute
- 2026-07-01 02:46 UTCEG score recompute
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 23:04 UTCEG score recompute
- 2026-06-30 19:20 UTCEG score recompute
- 2026-06-30 15:38 UTCEG score recompute
- 2026-06-30 11:55 UTCEG score recompute
- 2026-06-30 08:10 UTCEG score recompute
- 2026-06-30 04:27 UTCEG score recompute
- 2026-06-30 00:45 UTCEG score recompute
- 2026-06-29 21:02 UTCEG score recompute
- 2026-06-29 17:19 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 13:32 UTCEG score recompute
- 2026-06-29 09:50 UTCEG score recompute
- 2026-06-29 06:08 UTCEG score recompute
- 2026-06-29 02:25 UTCEG score recompute
- 2026-06-28 22:42 UTCEG score recompute
- 2026-06-28 19:00 UTCEG score recompute
- 2026-06-28 15:17 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 11:34 UTCEG score recompute
- 2026-06-28 07:52 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:10 UTCEG score recompute
- 2026-06-28 00:26 UTCEG score recompute
- 2026-06-27 20:43 UTCEG score recompute
- 2026-06-27 16:59 UTCEG score recompute
- 2026-06-27 13:17 UTCEG score recompute
- 2026-06-27 09:35 UTCEG score recompute
- 2026-06-27 05:53 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-27 02:09 UTCEG score recompute
- 2026-06-26 22:27 UTCEG score recompute
- 2026-06-26 18:43 UTCEG score recompute
- 2026-06-26 14:57 UTCEG score recompute
- 2026-06-26 11:14 UTCEG score recompute
- 2026-06-26 03:23 UTCEG score recompute
- 2026-06-25 23:41 UTCEG score recompute
- 2026-06-25 19:57 UTCEG score recompute
- 2026-06-25 16:15 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 12:33 UTCEG score recompute
- 2026-06-25 08:50 UTCEG score recompute
- 2026-06-25 05:08 UTCEG score recompute
- 2026-06-25 01:21 UTCEG score recompute
- 2026-06-24 21:39 UTCEG score recompute
- 2026-06-24 17:56 UTCEG score recompute
- 2026-06-24 14:09 UTCEG score recompute
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 10:27 UTCEG score recompute
- 2026-06-24 06:44 UTCEG score recompute
- 2026-06-24 03:00 UTCEG score recompute
- 2026-06-23 23:15 UTCEG score recompute
Frequently asked(5)
What is CVE-2026-48772?
When was CVE-2026-48772 disclosed?
Is CVE-2026-48772 actively exploited?
What is the CVSS score of CVE-2026-48772?
How do I remediate CVE-2026-48772?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-48772
Is Your Infrastructure Affected by CVE-2026-48772?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.