Skip to main content

ProxySQL EUVDEUVD-2026-38075

| CVE-2026-48774 HIGH
Improper Input Validation (CWE-20)
2026-06-19 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
8.6 HIGH

Network-reachable MCP endpoint, trivial multi-statement payload, unauthenticated when default auth token is empty; integrity high (writes/DDL), confidentiality low and availability low via KILL/SHUTDOWN within account grants.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 20:18 vuln.today
Analysis Generated
Jun 19, 2026 - 20:18 vuln.today

DescriptionCVE.org

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP run_sql_readonly tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with CLIENT_MULTI_STATEMENTS. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as SELECT 1; RENAME TABLE .... The validator accepts the payload because it starts with SELECT and because side-effecting MySQL statements such as RENAME TABLE, SET, RESET, LOCK TABLES, and KILL are not rejected by the blacklist. In a live MCP runtime test, the /mcp/query endpoint accepted a run_sql_readonly request. The MCP response reported success for the first SELECT, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty mcp-query_endpoint_auth token before exposing /mcp/query; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.

AnalysisAI

Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI run_sql_readonly tool's read-only contract by submitting multi-statement payloads such as SELECT 1; RENAME TABLE x TO y, which execute in full because the backend connection enables CLIENT_MULTI_STATEMENTS. An attacker reaching the /mcp/query endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed /mcp/query listener
Delivery
Bypass or obtain mcp-query_endpoint_auth token
Exploit
Submit run_sql_readonly with SELECT 1; RENAME TABLE payload
Execution
Validator approves on leading SELECT
Persist
MySQL executes both statements via CLIENT_MULTI_STATEMENTS
Impact
Backend schema/state altered within MCP account privileges

Vulnerability AssessmentAI

Exploitation Requires that the ProxySQL GenAI/MCP plugin is enabled and the `/mcp/query` HTTP endpoint is reachable by the attacker (not the default - MCP is opt-in). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 7.5 CVSS score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N is consistent with the description: the `/mcp/query` endpoint is reachable over the network, exploitation is a simple multi-statement string, no authentication is required against an unprotected listener, and the principal impact is integrity (backend writes, renames, DDL). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the ProxySQL `/mcp/query` endpoint - either directly because the listener was exposed without the optional `mcp-query_endpoint_auth` token, or via a prompt-injected LLM agent that legitimately holds the token - sends a `run_sql_readonly` request carrying `SELECT 1; RENAME TABLE app.users TO app.users_pwn`. The validator approves the payload because the first keyword is `SELECT` and `RENAME` is not on the legacy blacklist, and the backend connection's `CLIENT_MULTI_STATEMENTS` flag causes MySQL to execute both statements; the MCP response reports success for the `SELECT` while the second statement silently mutates the schema. …
Remediation Vendor-released patch: ProxySQL 3.0.9 - upgrade per advisory GHSA-7wh6-2vcc-gcm4 (https://github.com/sysown/proxysql/security/advisories/GHSA-7wh6-2vcc-gcm4) which corresponds to fix commit e32b7fd that disables `CLIENT_MULTI_STATEMENTS` on MCP backend connections, broadens the dangerous-keyword blacklist (RENAME, FLUSH, RESET, LOCK/UNLOCK, KILL, OPTIMIZE, REPAIR, HANDLER, INSTALL/UNINSTALL, PURGE, SHUTDOWN, transaction control, ANALYZE, etc.), adds a lexer-aware multi-statement detector, and applies the same validation to `explain_sql`. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ProxySQL 3.0.0-3.0.8 instances and assess network accessibility of the /mcp/query endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

CVE-2026-30860 CRITICAL POC
9.9 Mar 07

SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database c

CVE-2021-47748 CRITICAL POC
9.8 Jan 21

Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands th

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2025-53005 CRITICAL POC
9.8 Jul 01

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

CVE-2025-53006 CRITICAL POC
9.8 Jul 02

A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.

Share

EUVD-2026-38075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy