January 20, 2026 Release
#release #proxysql #postgresql #mysql

ProxySQL 3.0.5: Security hardening, protocol fixes, and smoother operations

We’re excited to announce ProxySQL 3.0.5, our first release of 2026. As always, thank you to everyone who tested, reported issues, sent patches, and shared real-world feedback. ProxySQL is shaped in production, and this release is a direct result of that collaboration.

ProxySQL 3.0.5 focuses on tightening security guarantees (especially for PostgreSQL TLS enforcement), improving protocol correctness for PostgreSQL clients, and restoring compatibility knobs for MySQL application stacks that are sensitive to version semantics.

Full release notes are available on GitHub: https://github.com/sysown/proxysql/releases/tag/v3.0.5

What’s new in 3.0.5 (and why it matters)

PostgreSQL frontend SSL enforcement: closing a real security gap

One of the most important fixes in 3.0.5 is about trust boundaries.

In certain configurations, a PostgreSQL client could connect without TLS even when the user was configured with use_ssl=1. That’s the kind of issue that can sit quietly in the background until you have to prove enforcement for compliance, audit, or incident response.

ProxySQL 3.0.5 ensures that pgsql_users.use_ssl is properly applied at session level and that frontend connections respect the SSL requirement.

If you run ProxySQL in front of PostgreSQL and rely on ProxySQL as the policy enforcement point, this is the first thing you should validate after upgrading.

Illustrative workflow:

UPDATE pgsql_users
SET use_ssl = 1
WHERE username = 'app_user';

LOAD PGSQL USERS TO RUNTIME;
SAVE PGSQL USERS TO DISK;

MySQL compatibility: control SELECT VERSION() behavior

ProxySQL can answer some “metadata” queries directly, and that’s often a win. But in practice, some application stacks are very particular—especially ORMs that interpret SELECT VERSION() as “tell me exactly what the backend is.”

In 3.0.5 we introduced a new global variable, mysql-select_version_forwarding, that gives you a clean compatibility switch: you can forward SELECT VERSION() to the backend when your environment requires it.

Illustrative configuration:

SET mysql-select_version_forwarding = 1;

LOAD MYSQL VARIABLES TO RUNTIME;
SAVE MYSQL VARIABLES TO DISK;

Better parsing for SET time_zone with modern timezone identifiers

Timezone strings have a way of becoming “simple” right up to the moment your application uses a real IANA name.

3.0.5 improves parsing for MySQL SET time_zone statements to handle:

  • three-component IANA names (e.g., America/Argentina/Buenos_Aires)
  • hyphenated timezone identifiers

If you’ve ever seen a “why is this failing only in production?” issue around session timezone configuration, this is exactly the kind of fix that prevents headaches.

PostgreSQL extended protocol: Bind packet correctness

For PostgreSQL users, 3.0.5 includes an important protocol correctness fix: it addresses malformed Bind packets when clients provide a single parameter format.

That may sound niche, but in practice it can surface as intermittent client failures depending on driver behavior. The goal here is straightforward: make ProxySQL behave correctly and predictably across the variety of PostgreSQL client implementations that exist in the real world.

Safer fork/exec behavior: file descriptor handling improvements

This release also fixes issues in close_all_non_term_fd() that could cause undefined behavior (including potential deadlocks) in multi-threaded programs when used between fork() and execve().

That’s a subtle area of systems programming where “mostly works” is not good enough. These fixes reduce operational risk in environments where process spawning patterns show up.

Admin API hardening: parameterized prepared statements

On the security front, 3.0.5 replaces SQL string concatenation paths in REST-admin execution with parameterized prepared statements. That change reduces injection risk and strengthens the overall security posture of administrative interfaces.

Upgrade notes: what we recommend checking

After upgrading to 3.0.5, we suggest validating these items:

  • PostgreSQL TLS enforcement: confirm that users with use_ssl=1 cannot connect without TLS.
  • MySQL application compatibility: if your stack relies on backend VERSION() semantics, consider enabling mysql-select_version_forwarding.
  • Timezone configuration: if your apps use IANA timezone identifiers in SET time_zone, re-test session initialization paths.
  • PostgreSQL drivers using extended protocol: if you previously saw edge-case Bind/Execute issues, re-test with your primary clients.

Thank you—and what’s next

Again, thank you to our users and contributors. Every bug report, reproduction case, and patch helps us keep ProxySQL robust in the places it matters most: production systems under load.

This is our first release of 2026, and we plan to keep the momentum going—continuing to deliver features and fixes that match what the community and enterprise users need. If you have feedback on 3.0.5 (or ideas for what you want to see next), we’d genuinely like to hear it.

Full release notes: https://github.com/sysown/proxysql/releases/tag/v3.0.5