External risk intelligence

ProxySQL PROXY Protocol Parsing Routing and ACL Bypass Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-48772

ProxySQL functions as a database proxy designed to sit between application clients and backend database servers. It is commonly deployed as an edge or intermediary service to handle incoming traffic, and the vulnerability is reachable via the frontend listener which often processes external or inter-service network traffic.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in ProxySQL, a database proxy, allows unauthenticated attackers to bypass routing and access controls by manipulating the PROXY protocol header. This could enable unauthorized access to sensitive data or critical database operations by misdirecting traffic. The main concern is confirming relevance and exposure.

Malicious actors can spoof client addresses.
Bypasses critical database routing and access controls.
Confirm if ProxySQL is used and exposed to this threat.

Attack Path

How an attacker could exploit the issue

An attacker can send a specially crafted PROXY protocol header to ProxySQL's frontend port. Because ProxySQL incorrectly parses the `UNKNOWN` token in the header, it accepts spoofed client IP addresses. This allows an attacker to bypass routing and access control rules, potentially gaining access to sensitive internal routing or filtering mechanisms.

Attacker must reach ProxySQL frontend.
Triggered by malformed PROXY protocol header.
Bypasses routing and access controls.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to bypass routing and access control rules in ProxySQL when the PROXY protocol is enabled. By sending a specially crafted PROXY frame, an attacker could trick ProxySQL into treating their traffic as if it originated from a trusted source IP address, potentially gaining unauthorized access to internal application routes or sensitive data.

Forged client IP addresses in routing.
Bypassing query rules and ACLs.
Unauthorized access to internal routes.

Operational Fix

Recommended remediation, mitigation, and detection steps

ProxySQL deployments are likely managed by infrastructure, platform, or database administration teams responsible for database connectivity and routing. The first actionable step is to inventory all ProxySQL instances, determine their reachability and business criticality, identify the owning team, and then prioritize remediation based on exposure.

Infrastructure or Platform Teams own this.
Verify ProxySQL reachability and criticality.
Plan maintenance for vendor-supported updates.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is ProxySQL and why is it used?

ProxySQL is a high-performance database proxy designed to sit between your application clients and backend database servers like MySQL or PostgreSQL. It acts as an intermediary, managing connections, balancing loads, and enforcing security policies. Administrators use it to optimize database performance, enable read-write splitting, and control which applications can access specific database schemas or query patterns.

What does CVE-2026-48772 mean in simple terms?

This vulnerability involves an Improper Authentication and Incorrect Authorization weakness. ProxySQL fails to correctly follow the PROXY protocol specification when it receives an 'UNKNOWN' client designation. Instead of ignoring the address fields as required, it reads them and allows the sender to provide a fake source IP address. This effectively tricks the proxy into trusting the attacker's connection as if it originated from a different, perhaps more privileged, location.

How can an attacker trigger this vulnerability?

An attacker must be able to reach the ProxySQL frontend listener port over the network. By sending a specially crafted PROXY protocol v1 frame that includes an 'UNKNOWN' token followed by a chosen spoofed IP address, the attacker forces ProxySQL to associate their session with that address. Importantly, this does not require valid database credentials; the bypass happens at the connection and routing layer before any database-level authentication occurs.

Do I need to worry if my ProxySQL instance is internal?

Halo Surface Signal indicates that while this is a critical issue, its relevance depends on your specific network architecture. If your ProxySQL frontend is exposed to untrusted or public internet traffic, the risk is immediate. If the service is restricted to strictly internal, trusted segments, the barrier to exploitation is higher, but the bypass remains a significant risk if an attacker gains any foothold within that internal network.

How should I respond to this vulnerability?

Begin by inventorying all ProxySQL instances in your environment to confirm their current version and network reachability. Coordinate with your infrastructure or database teams to prioritize systems that are accessible from less-trusted networks. The primary path to resolution is to update your software to version 3.0.9 or later, which contains the necessary fix for how these PROXY protocol headers are parsed.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.