Description
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.
Published: 2026-06-19
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote, unauthenticated attacker can send an oversized first packet length when communicating with ProxySQL over the MySQL or PostgreSQL protocol. The vulnerability arises from ProxySQL passing the attacker-controlled length directly to the recv() call while writing into a fixed 32‑kilobyte input queue, resulting in a pre‑authentication heap memory corruption (CWE‑787). This overflow can corrupt control data or other heap objects, potentially allowing an attacker to alter execution flow or execute arbitrary code on the target system.

Affected Systems

The affected product is ProxySQL by Sysown. Versions from 2.0.18 through 3.0.8 are vulnerable, while version 3.0.9 applies the fix. The vulnerability exists in the first‑read paths for both MySQL and PostgreSQL protocols.

Risk and Exploitability

The CVSS score is 9.8, indicating very high severity. The vulnerability is exploitable by any unauthenticated client that can reach the ProxySQL instance, so it is a pure remote attack vector. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. Given its pre‑authentication nature and lack of mitigations besides the patch, it poses a significant risk to confidentiality, integrity, and availability of affected deployments.

Generated by OpenCVE AI on June 19, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProxySQL to version 3.0.9 or newer to apply the fixed code.
  • If an upgrade cannot be performed immediately, limit exposure by restricting inbound connections to the ProxySQL listening port to trusted networks or by implementing firewall rules that block unknown external hosts.
  • Continuously monitor proxy logs for unusually large first packet lengths, memory corruption errors, or sudden process crashes, and investigate any such events promptly.

Generated by OpenCVE AI on June 19, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.
Title ProxySQL pre-auth heap overflow in MySQL and PostgreSQL first-packet handling
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:27:12.183Z

Reserved: 2026-05-22T19:39:05.357Z

Link: CVE-2026-48773

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses