sysown proxysql up to 3.0.8 /mcp/query incomplete blacklist

Summaryinfo

A vulnerability described as critical has been identified in sysown proxysql up to 3.0.8. Affected by this vulnerability is an unknown functionality of the file /mcp/query. Such manipulation leads to incomplete blacklist. This vulnerability is uniquely identified as CVE-2026-48774. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in sysown proxysql up to 3.0.8. It has been rated as critical. Affected by this issue is an unknown code block of the file /mcp/query. The manipulation with an unknown input leads to a incomplete blacklist vulnerability. Using CWE to declare the problem leads to CWE-184. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. Impacted is confidentiality, integrity, and availability. CVE summarizes:

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE ...`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.

The advisory is available at github.com. This vulnerability is handled as CVE-2026-48774 since 05/22/2026. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1562.006 by the MITRE ATT&CK project.

Upgrading to version 3.0.9 eliminates this vulnerability. Applying the patch e32b7fd50c7c234ea628e392e621e09a2a919e08 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-38075). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Firewall Software

Vendor

• sysown

Name

• proxysql

Version

• 3.0.0
• 3.0.1
• 3.0.2
• 3.0.3
• 3.0.4
• 3.0.5
• 3.0.6
• 3.0.7
• 3.0.8

License

• open-source

Website

• Product: https://github.com/sysown/proxysql/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion