ProxySQL PROXY Protocol v1 UNKNOWN Source IP Spoofing ACL Bypass
CVE-2026-48772 is a critical vulnerability in ProxySQL affecting versions 2.0.0 through 3.0.8. The ProxySQL MySQL frontend incorrectly accepts a HAProxy PROXY protocol v1 header of the form PROXY UNKNOWN <addr> <addr> <port> <port>\r\n as valid and, contrary to the PROXY protocol v1 specification, parses the address fields that follow the UNKNOWN token. ProxySQL uses sscanf to extract those attacker-supplied address values and stores the spoofed source IP in the session's addr.addr field. That forged client address is then consumed by the query-rule matcher, specifically mysql_query_rules.client_addr, which is used for routing and access-control decisions. As a result, a remote client can claim an arbitrary source IP address and cause ProxySQL to treat the connection as if it originated from a trusted network or application source. The issue is especially exposed when mysql-proxy_protocol_networks = '*', which is the default configuration and allows any TCP peer to supply a PROXY protocol header.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
mysql_query_rules.client_addr. This can let untrusted clients impersonate trusted internal or administrative source IP ranges, influence read/write routing decisions, bypass schema pinning restrictions, and evade query-filter rules intended to restrict dangerous operations such as DDL from non-admin networks. In practice, this is a source-IP spoofing vulnerability that leads to access-control bypass and traffic misrouting, with downstream confidentiality, integrity, and availability consequences depending on how client_addr is used in the deployment.Mitigation
If you can’t patch tonight, do this now.
mysql-proxy_protocol_networks and avoiding the default wildcard configuration where possible. Limit network exposure of the ProxySQL frontend port to trusted load balancers or proxies only. Review mysql_query_rules entries that rely on client_addr for routing or authorization, and treat source-IP-based trust decisions as unreliable until patched. Additional compensating controls include network ACLs that prevent direct client access to the frontend listener and validation of deployments that use client_addr for administrative or privileged query paths.Remediation
Patch, then assume compromise.
UNKNOWN frames and includes regression tests. Organizations running ProxySQL 3.0.8 or earlier should upgrade as a priority.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.