CVE-2026-48774
Received Received - Intake
ProxySQL GenAI MCP run_sql_readonly SQL Injection

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE ...`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-48774
EUVD
EUVD-2026-38075
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
sysown proxysql From 3.0.0 (inc) to 3.0.8 (inc)
sysown proxysql 3.0.9
sysown proxysql From 4.0.6 (inc) to 4.0.8 (inc)
sysown proxysql 4.0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

ProxySQL's GenAI/MCP `run_sql_readonly` tool is intended to allow only read-only SQL queries to MySQL targets. However, in versions 3.0.0 through 3.0.8, it fails to enforce this properly because it validates the entire input string using a substring blacklist and a first-keyword allowlist but then executes the entire SQL string on a backend connection that supports multiple statements.

This means an attacker can submit a query starting with a read-only statement like `SELECT 1;` followed by a side-effecting statement such as `RENAME TABLE ...`. The validator accepts the input because it only checks the first keyword and misses many side-effecting commands in the blacklist.

As a result, the tool violates its read-only contract by allowing backend writes or administrative SQL commands to be executed, limited only by the database privileges of the configured MCP target account.

Compliance Impact

This vulnerability allows an attacker to bypass the read-only restrictions of ProxySQL's GenAI/MCP run_sql_readonly tool and execute side-effecting SQL statements such as renaming tables or modifying database state. This can lead to unauthorized data modification or administrative actions within the database.

Such unauthorized modifications can compromise data integrity and potentially lead to breaches of data protection regulations like GDPR or HIPAA, which require strict controls over data access and modification to protect personal and sensitive information.

If exploited, this vulnerability could result in non-compliance with these standards due to unauthorized changes to data or schema, risking data integrity, confidentiality, and auditability.

Mitigations such as disabling MCP unless required, enforcing authentication tokens, restricting network exposure, and using read-only database credentials help reduce the risk and support compliance efforts.

Impact Analysis

This vulnerability can lead to serious impacts including unauthorized modification of database schema or data, operational disruption, and compromise of backend database integrity.

An attacker exploiting this flaw can perform backend writes or administrative SQL commands through the read-only interface, potentially renaming tables, changing settings, locking tables, or killing connections.

The extent of the impact depends on the privileges of the MCP target account configured in ProxySQL, but it can result in high integrity impact without requiring any prior privileges or user interaction.

Detection Guidance

This vulnerability can be detected by monitoring for multi-statement SQL queries sent to the /mcp/query endpoint, especially those that start with a read-only statement like SELECT followed by side-effecting statements such as RENAME TABLE, SET, RESET, LOCK TABLES, or KILL.

Detection can involve checking logs or network traffic for suspicious multi-statement payloads that bypass the read-only validation.

Since the vulnerability involves multi-statement queries executed via CLIENT_MULTI_STATEMENTS, commands or scripts that parse SQL queries to identify semicolons outside of string literals or comments can help detect exploitation attempts.

Specific commands are not provided in the resources, but one could use network packet inspection tools (e.g., tcpdump, Wireshark) to capture traffic to the /mcp/query endpoint and search for SQL queries containing semicolons indicating multi-statements.

Mitigation Strategies

Immediate mitigation steps include:

  • Disable the MCP (Management Control Protocol) unless it is strictly required.
  • Set a non-empty authentication token for the mcp-query_endpoint_auth configuration before exposing the /mcp/query endpoint.
  • Restrict network exposure of the MCP listener to trusted hosts only.
  • Configure MCP backend target credentials as database-level read-only users to limit the impact of any exploit.
  • Add temporary MCP query rules to block obvious multi-statement patterns, such as queries containing semicolons.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart