CVE-2026-48774: CWE-20: Improper Input Validation in sysown proxysql
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE ...`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.
AI Analysis
Technical Summary
ProxySQL's GenAI/MCP run_sql_readonly tool in versions 3.0.0 through 3.0.8 improperly validates input SQL queries by only checking the first keyword and applying a substring blacklist. However, it executes the entire SQL string on a backend connection with CLIENT_MULTI_STATEMENTS enabled. This allows an attacker to submit a read-only first statement (e.g., SELECT) followed by a side-effecting second statement (e.g., RENAME TABLE), which is not blocked by the blacklist. As a result, the tool violates its read-only contract and permits backend writes or administrative SQL commands limited by the MCP target account's privileges. The vulnerability is fixed in version 3.0.9. Additional operator mitigations include disabling MCP when not required, enforcing authentication tokens on the /mcp/query endpoint, restricting MCP network exposure, using read-only database credentials, and blocking multi-statement patterns via query rules.
Potential Impact
This vulnerability allows an unauthenticated network attacker to bypass the intended read-only restrictions of the run_sql_readonly tool and execute side-effecting SQL statements on the backend database. This can lead to unauthorized administrative actions such as renaming tables, potentially impacting data integrity and database configuration. The impact is limited by the privileges of the MCP target account configured in ProxySQL. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Version 3.0.9 of ProxySQL contains a fix for this vulnerability and should be applied to affected systems. Until patched, operators should disable the MCP feature if it is not required. If MCP must be enabled, set a non-empty mcp-query_endpoint_auth token to require authentication on the /mcp/query endpoint. Restrict network exposure of the MCP listener to trusted hosts only. Configure MCP backend target credentials as database-level read-only users to limit potential damage. Additionally, implement temporary MCP query rules to block multi-statement SQL patterns that could exploit this issue. Patch status is not explicitly confirmed in the advisory, but version 3.0.9 is stated to contain the fix.
CVE-2026-48774: CWE-20: Improper Input Validation in sysown proxysql
Description
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE ...`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.
CVSS v3.1
Score 7.5high
Affected software
pkg:github/sysown/proxysqlRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ProxySQL's GenAI/MCP run_sql_readonly tool in versions 3.0.0 through 3.0.8 improperly validates input SQL queries by only checking the first keyword and applying a substring blacklist. However, it executes the entire SQL string on a backend connection with CLIENT_MULTI_STATEMENTS enabled. This allows an attacker to submit a read-only first statement (e.g., SELECT) followed by a side-effecting second statement (e.g., RENAME TABLE), which is not blocked by the blacklist. As a result, the tool violates its read-only contract and permits backend writes or administrative SQL commands limited by the MCP target account's privileges. The vulnerability is fixed in version 3.0.9. Additional operator mitigations include disabling MCP when not required, enforcing authentication tokens on the /mcp/query endpoint, restricting MCP network exposure, using read-only database credentials, and blocking multi-statement patterns via query rules.
Potential Impact
This vulnerability allows an unauthenticated network attacker to bypass the intended read-only restrictions of the run_sql_readonly tool and execute side-effecting SQL statements on the backend database. This can lead to unauthorized administrative actions such as renaming tables, potentially impacting data integrity and database configuration. The impact is limited by the privileges of the MCP target account configured in ProxySQL. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Version 3.0.9 of ProxySQL contains a fix for this vulnerability and should be applied to affected systems. Until patched, operators should disable the MCP feature if it is not required. If MCP must be enabled, set a non-empty mcp-query_endpoint_auth token to require authentication on the /mcp/query endpoint. Restrict network exposure of the MCP listener to trusted hosts only. Configure MCP backend target credentials as database-level read-only users to limit potential damage. Additionally, implement temporary MCP query rules to block multi-statement SQL patterns that could exploit this issue. Patch status is not explicitly confirmed in the advisory, but version 3.0.9 is stated to contain the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T19:39:05.357Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a359d6df198dc38c122039f
Added to database: 6/19/2026, 7:50:05 PM
Last enriched: 6/19/2026, 8:05:11 PM
Last updated: 6/20/2026, 12:06:35 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.