How is CVE-2026-48773 exploited?

Network reachability (required): The attacker must reach the ProxySQL listener over the network; no local or physical access is needed. Authentication (not-required): The vulnerability is triggered in the pre-authentication first-packet path, so no credentials of any kind are required. Victim interaction (not-required): No user or administrator action is needed; the attacker sends a single malformed packet to trigger the overflow. Attack complexity (info): Exploitation is reliable and condition-free; no race condition, specific memory layout, or environmental dependency is required.

What is the impact of CVE-2026-48773?

An attacker can read heap memory contents from the ProxySQL process, which may include in-flight credentials, query text, and session tokens. An attacker can corrupt heap structures to manipulate ProxySQL's query routing or inject modified SQL payloads toward backend databases. An attacker can crash the ProxySQL process, dropping all proxied database connections and making backend databases unreachable to applications relying on the proxy. Because exploitation requires no authentication, any network-exposed ProxySQL instance in the affected version range is reachable by an unauthenticated external attacker.

Back to search

CRITICALCVE-2026-48773Published 2026-06-19Modified 2026-06-19CNA GitHub_M

CVE-2026-48773: ProxySQL pre-auth heap overflow in MySQL and PostgreSQL first-packet handling

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap memory corruption vulnerability affects ProxySQL versions 2.0.18 through 3.0.8 in the MySQL and PostgreSQL protocol first-packet handling path. A remote, unauthenticated attacker can send a crafted first packet with an oversized declared length, causing ProxySQL to write beyond a fixed 32 KB input queue buffer before any authentication check runs. Successful exploitation gives an attacker the ability to read sensitive data, modify in-flight or persisted data, or crash the proxy service entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-48773 is available across every HarborGuard environment. Ingestion from upstream vulnerability feeds runs within minutes of publication, and matching against customer registry images and CI/CD pipeline images is automatic, covering both base images and custom-built images that bundle ProxySQL.

Available

Triage

Triage capability is available using the CVSS v3.1 score of 9.8 (Critical), weighed against each customer organization's compliance policy to determine priority and routing. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No fix version has been published for CVE-2026-48773 as of the CVE record date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ProxySQL listener over the network; no local or physical access is needed.
AuthenticationNot required
The vulnerability is triggered in the pre-authentication first-packet path, so no credentials of any kind are required.
Victim interactionNot required
No user or administrator action is needed; the attacker sends a single malformed packet to trigger the overflow.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, specific memory layout, or environmental dependency is required.

Blast Radius

An attacker can read heap memory contents from the ProxySQL process, which may include in-flight credentials, query text, and session tokens.
An attacker can corrupt heap structures to manipulate ProxySQL's query routing or inject modified SQL payloads toward backend databases.
An attacker can crash the ProxySQL process, dropping all proxied database connections and making backend databases unreachable to applications relying on the proxy.
Because exploitation requires no authentication, any network-exposed ProxySQL instance in the affected version range is reachable by an unauthenticated external attacker.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring for CVE-2026-48773 is active across all customer environments, with re-evaluation on every ingest cycle. Because no upstream fix exists yet, patched-image rebuilds are not available at this time. In the interim, customers can apply compensating controls: restrict network-policy ingress to the ProxySQL port (default 6033 for MySQL, 6432 for PostgreSQL) to trusted source CIDRs only; apply egress filtering on hosts where ProxySQL runs to limit lateral movement if the process is compromised; and consider feature-flag gating or temporary removal of ProxySQL from externally reachable network segments until a patch is available. The moment version 3.0.9 or a later fix release is published upstream, HarborGuard will ingest it, flag the patched base image, and for customers with auto-remediation enabled, trigger a rebuilt image, a regression-test run, and a PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

sysown / proxysql
>= 2.0.18, < 3.0.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified