Vulnerability in ProxySQL Affects MySQL Database Operations
CVE-2026-48774

7.5HIGH

Key Information:

Vendor: Sysown
Status: Proxysql
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-48774?

ProxySQL, a high-performance proxy for MySQL and PostgreSQL, is vulnerable in versions 3.0.0 through 3.0.8 due to improper handling of SQL statements in the GenAI/MCP 'run_sql_readonly' tool. This vulnerability allows an attacker to bypass read-only constraints by exploiting the substring blacklist and first-keyword allowlist in place. By initiating a read-only request, users can inject additional SQL statements that modify database schemas or execute harmful operations. The oversight is significant as accepted requests lead to unintended write operations, undermining the integrity of database security. Operators are advised to upgrade to version 3.0.9, implement access restrictions on the MCP endpoint, and adopt further precautions to safeguard against this vulnerability.

Affected Version(s)

proxysql >= 3.0.6, < 3.0.9

References

https://github.com/sysown/proxysql/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/sysown/proxysql/commit/e32b7fd50c7c234...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48774 Data

JSON

Sysown

What is CVE-2026-48774?

Affected Version(s)

References

CVSS V3.1

Timeline