Description
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE ...`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.
Published: 2026-06-19
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ProxySQL’s GenAI/MCP `run_sql_readonly` endpoint was designed to enforce a read‑only contract on MySQL targets, but in versions 3.0.0 through 3.0.8 the validator permits only a simple substring blacklist and a keyword allowlist. The backend connection used `CLIENT_MULTI_STATEMENTS`, so an attacker can submit a first statement that begins with a safe keyword such as SELECT, followed by a second, side‑effecting statement like RENAME TABLE, SET, or LOCK TABLES. The validation logic accepts the payload because the second statement is not covered by the blacklist, and the backend executes the entire string. Consequently, a caller who has permission to issue the MCP query can modify data or perform administrative actions on the database, breaching the promised read‑only interface.

Affected Systems

The vulnerability affects systems running ProxySQL version 3.0.0 through 3.0.8. This includes deployments for MySQL, MariaDB and other MySQL‑compatible forks, and any service that exposes the `/mcp/query` endpoint to the network.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderately high severity, and the absence of an EPSS score means the current public data does not quantify exploitation likelihood. The vulnerability is not listed in CISA KEV, suggesting no widely known exploits as of now. The likely attack vector is a compromised or exposed MCP endpoint; the attacker must have network access to `/mcp/query` and supply a valid query token. Because the backend connection uses the configured MCP target credentials, the extent of damage is bounded by those privileges, but an attacker can still perform any write or administrative operation within that account’s scope.

Generated by OpenCVE AI on June 19, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProxySQL to version 3.0.9 or later, which contains the patch that enforces read‑only semantics.
  • Disable the MCP service when it is not required, or restrict the listening address to internal, trusted interfaces only.
  • Require a non‑empty authentication token for the `/mcp/query` endpoint by setting `mcp-query_endpoint_auth`.
  • Configure the backend target credentials used by MCP as database‑level read‑only users to limit possible write operations.
  • Add temporary MCP query rules that block multi‑statement patterns, such as detecting semicolons or keyword combinations that indicate a write operation.

Generated by OpenCVE AI on June 19, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sysown
Sysown proxysql
Vendors & Products Sysown
Sysown proxysql

Fri, 19 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword allowlist, but then executes the entire SQL string on a backend connection created with `CLIENT_MULTI_STATEMENTS`. As a result, a caller can submit a read-only first statement followed by a side-effecting second statement, such as `SELECT 1; RENAME TABLE ...`. The validator accepts the payload because it starts with `SELECT` and because side-effecting MySQL statements such as `RENAME TABLE`, `SET`, `RESET`, `LOCK TABLES`, and `KILL` are not rejected by the blacklist. In a live MCP runtime test, the `/mcp/query` endpoint accepted a `run_sql_readonly` request. The MCP response reported success for the first `SELECT`, and direct backend verification showed that the table had actually been renamed. This violates the endpoint's read-only security contract and lets an MCP caller perform backend writes or administrative SQL, limited by the configured MCP target account's database privileges. Version 3.0.9 contains a fix. Other operator mitigations include: keeping MCP disabled unless required; setting a non-empty `mcp-query_endpoint_auth` token before exposing `/mcp/query`; restricting MCP listener network exposure; configuring MCP backend target credentials as database-level read-only users; and adding temporary MCP query rules to block obvious multi-statement patterns.
Title ProxySQL MCP run_sql_readonly executes side-effecting MySQL multi-statements despite read-only contract
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sysown Proxysql
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:34:39.971Z

Reserved: 2026-05-22T19:39:05.357Z

Link: CVE-2026-48774

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:34:30Z

Weaknesses
  • CWE-20

    Improper Input Validation