Security Advisory - Published 2026-06-20 - ProxySQL

ProxySQL 3.0.9 security batch: patch frontends and review MCP exposure

CVE-2026-48772, CVE-2026-48773, and CVE-2026-48774 affect ProxySQL deployments that expose MySQL/PostgreSQL proxy services or the newer GenAI/MCP surface. Treat internet-facing ProxySQL listeners as urgent. Patch first, then review crashes, restarts, connection spikes, and any database writes through tools expected to be read-only.

Defensive scope: this guide covers version checks, exposure review, logs, and repair. It does not include crafted protocol input or exploitation steps.

Affected ProxySQL items

CVEAffectedReviewCVSS
CVE-2026-487722.0.0 through 3.0.8ProxySQL listeners, crashes, restarts, and frontend access10.0
CVE-2026-487732.0.18 through 3.0.8ProxySQL process crashes, listener exposure, and connection spikes9.8
CVE-2026-487743.0.0 through 3.0.8MCP/GenAI settings, tool logs, and database write activity7.5

Owner self-check

proxysql --version
systemctl status proxysql --no-pager
ss -lntp | egrep '6032|6033|proxysql'
journalctl -u proxysql --since '7 days ago' --no-pager | egrep -i 'crash|segfault|restart|mcp|genai|error'
grep -Rni 'mysql_ifaces\\|pgsql_ifaces\\|admin-mysql_ifaces\\|mcp\\|genai' /etc/proxysql* /var/lib/proxysql* 2>/dev/null

What to review

  • Any ProxySQL frontend listener reachable from the public internet or broad office networks.
  • Unexpected service restarts, segmentation faults, memory corruption messages, or connection spikes.
  • GenAI/MCP settings, tool logs, and database writes that should not come from read-only workflows.
  • Database accounts used by ProxySQL, including whether they have write privileges that are not needed.

Safe fix path

  1. Upgrade ProxySQL to 3.0.9 or newer.
  2. Bind administrative and proxy listeners to trusted interfaces only.
  3. Disable GenAI/MCP surfaces until tool permissions, logs, and network exposure are reviewed.
  4. Rotate database credentials if suspicious write activity, service instability, or unknown clients are found.

Repair help

Use Ping7 CVE Repair when ProxySQL was exposed, databases show unexpected writes, or proxy logs are too noisy to separate normal client traffic from suspicious activity.

References

Author: Ping7 security team - Published: 2026-06-20 - ProxySQL CVE batch - Defensive self-check only.