Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable MCP endpoint, trivial multi-statement payload, unauthenticated when default auth token is empty; integrity high (writes/DDL), confidentiality low and availability low via KILL/SHUTDOWN within account grants.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP run_sql_readonly tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with CLIENT_MULTI_STATEMENTS. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as SELECT 1; RENAME TABLE .... The validator accepts the payload because it starts with SELECT and because side-effecting MySQL statements such as RENAME TABLE, SET, RESET, LOCK TABLES, and KILL are not rejected by the blacklist. In a live MCP runtime test, the /mcp/query endpoint accepted a run_sql_readonly request. The MCP response reported success for the first SELECT, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty mcp-query_endpoint_auth token before exposing /mcp/query; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.
Articles & Coverage 1
AnalysisAI
Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI run_sql_readonly tool's read-only contract by submitting multi-statement payloads such as SELECT 1; RENAME TABLE x TO y, which execute in full because the backend connection enables CLIENT_MULTI_STATEMENTS. An attacker reaching the /mcp/query endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the ProxySQL GenAI/MCP plugin is enabled and the `/mcp/query` HTTP endpoint is reachable by the attacker (not the default - MCP is opt-in). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 7.5 CVSS score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N is consistent with the description: the `/mcp/query` endpoint is reachable over the network, exploitation is a simple multi-statement string, no authentication is required against an unprotected listener, and the principal impact is integrity (backend writes, renames, DDL). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the ProxySQL `/mcp/query` endpoint - either directly because the listener was exposed without the optional `mcp-query_endpoint_auth` token, or via a prompt-injected LLM agent that legitimately holds the token - sends a `run_sql_readonly` request carrying `SELECT 1; RENAME TABLE app.users TO app.users_pwn`. The validator approves the payload because the first keyword is `SELECT` and `RENAME` is not on the legacy blacklist, and the backend connection's `CLIENT_MULTI_STATEMENTS` flag causes MySQL to execute both statements; the MCP response reports success for the `SELECT` while the second statement silently mutates the schema. … |
| Remediation | Vendor-released patch: ProxySQL 3.0.9 - upgrade per advisory GHSA-7wh6-2vcc-gcm4 (https://github.com/sysown/proxysql/security/advisories/GHSA-7wh6-2vcc-gcm4) which corresponds to fix commit e32b7fd that disables `CLIENT_MULTI_STATEMENTS` on MCP backend connections, broadens the dangerous-keyword blacklist (RENAME, FLUSH, RESET, LOCK/UNLOCK, KILL, OPTIMIZE, REPAIR, HANDLER, INSTALL/UNINSTALL, PURGE, SHUTDOWN, transaction control, ANALYZE, etc.), adds a lexer-aware multi-statement detector, and applies the same validation to `explain_sql`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all ProxySQL 3.0.0-3.0.8 instances and assess network accessibility of the /mcp/query endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c
Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th
SQL injection in Chartbrew before 4.8.3. PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38075