CVE-2026-48772
Undergoing Analysis Undergoing Analysis - In Progress

ProxySQL PP1 Protocol Spoofing Allows Client Address Forgery

Vulnerability report for CVE-2026-48772, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>\r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session's `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = '*'` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
sysown proxysql From 2.0.0 (inc) to 3.0.8 (inc)
sysown proxysql 3.0.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

ProxySQL versions 2.0.0 through 3.0.8 have a critical vulnerability where the MySQL frontend incorrectly parses the PROXY protocol v1 header when the protocol token is "UNKNOWN". According to the HAProxy PROXY protocol v1 specification, any address fields following the "UNKNOWN" token should be ignored because the proxy cannot determine the client identity. However, ProxySQL parses these address fields anyway using sscanf and writes the spoofed source IP address into the session's client address field.

This spoofed IP address is then used in the mysql_query_rules.client_addr predicate, which controls routing and access control lists (ACLs). Because the default configuration allows any TCP client to send PROXY protocol frames, an attacker can forge any source IP address they want. This enables them to bypass routing rules and ACLs, effectively impersonating trusted clients or internal applications.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive databases and resources. An attacker who can reach the ProxySQL MySQL frontend port can spoof their source IP address to bypass access controls and routing rules.

  • Bypass of access control lists (ACLs) that rely on client IP addresses.
  • Circumvention of routing rules such as read-write splitting, per-application schema pinning, and query filtering.
  • Potential privilege escalation by impersonating trusted internal clients or administrative IP ranges.
  • Spoofed IP addresses may also affect audit logs and monitoring tools, leading to inaccurate tracking and detection.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious PROXY protocol v1 frames sent to the ProxySQL MySQL frontend port, especially those containing the "UNKNOWN" token followed by address fields.

Since the vulnerability involves spoofed source IP addresses in the PROXY protocol header, you can check ProxySQL logs or audit logs for unexpected or inconsistent client_addr values that do not match actual network source IPs.

Commands to detect this might include network packet captures on the ProxySQL frontend port to inspect incoming PROXY protocol frames, for example using tcpdump or Wireshark:

  • tcpdump -i <interface> -s 0 -w proxysql_capture.pcap port <proxysql_mysql_frontend_port>
  • Use Wireshark to open proxysql_capture.pcap and filter for PROXY protocol v1 frames containing the "UNKNOWN" token.

Additionally, reviewing ProxySQL query-rule logs or audit logs for client_addr values that do not correspond to known or expected IP addresses can help identify exploitation attempts.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade ProxySQL to version 3.0.9 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, consider restricting access to the ProxySQL MySQL frontend port to trusted IP addresses only, rather than allowing any TCP peer (the default mysql-proxy_protocol_networks = '*').

Additionally, review and tighten mysql_query_rules and ACL configurations to minimize the impact of any spoofed client_addr values.

Compliance Impact

The vulnerability in ProxySQL allows an attacker to spoof the client source IP address, which is used in access control lists (ACLs), routing rules, audit logs, and monitoring tools. This spoofing can lead to unauthorized access to privileged routes or resources, potentially exposing sensitive data or allowing privilege escalation.

Such unauthorized access and manipulation of client identity can undermine the integrity and confidentiality of data, which are critical requirements under common standards and regulations like GDPR and HIPAA. Specifically, the ability to bypass ACLs and routing rules may lead to unauthorized data access or modification, violating data protection and privacy obligations.

Therefore, this vulnerability poses a significant risk to compliance with these regulations by potentially enabling breaches of sensitive personal or health information through compromised access controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart