Squidbleed: 29-Year-Old Squid Proxy Flaw Leaks User Credentials

With the help of Claude Mythos Preview AI, researchers at Calif have uncovered a 29-year-old flaw in the Squid proxy. Present since 1997 and dubbed Squidbleed (CVE-2026-47729), this issue allows any proxy user to retrieve other users’ HTTP requests in cleartext. Here’s what we know.

CVE-2026-47729: a memory leak

Squid is a widely used web proxy (including in embedded solutions), often deployed to cache, filter, or inspect traffic in shared environments such as schools, businesses, and public Wi-Fi networks. It is precisely in a multi-user environment that the Squidbleed flaw becomes interesting to an attacker.

This vulnerability, tracked as CVE-2026-47729, is an out-of-bounds memory read (heap over-read). As a result, when the proxy returns bytes located beyond the intended memory area, they may belong to another user’s request. This memory-related data leak can expose information from other users, including credentials and sessions.

The bug is not in the HTTP code, but in the FTP directory listing parser. According to the report published by Calif.io, the root cause of this security flaw dates back to a January 1997 commit intended to handle old NetWare FTP servers, which inserted four spaces between the timestamp and the filename. In fact, this vulnerability sits in the FTP directory listing parser.

To account for these spaces, the code skips whitespace with a loop based on strchr. The problem is that if a listing line ends right after the timestamp, with no filename, the pointer lands on the string terminator (\0). However, at runtime, strchr treats this final NUL as part of the string and returns a pointer instead of NULL. The loop therefore never stops and runs past the buffer.

According to Calif.io researchers, this is the detail that Claude Mythos AI spotted during its analysis of Squid’s source code.

"The dangers of direct memory access in C are well known, but the subtleties of standard library functions such as strchr are easier to overlook. Few developers would have guessed that searching for ‘\0’ would succeed, which may explain how a one-line bug escaped nearly 30 years of code review.", the report states.

The question is: why are credentials ending up in that memory in the first place? Because Squid recycles its 4 KB buffers without zeroing them. A buffer that just held a victim’s HTTP request still contains most of that content: the short FTP line only overwrites the first bytes, and the out-of-bounds read returns the rest.

In fact, a demonstration by Calif.io shows that it is possible to recover an Authorization header from a user using the same vulnerable proxy. This makes it possible to impersonate that user on the target service when the connection passes through the proxy.

A real risk, but with conditions

Several conditions significantly limit the scope of the attack. In fact, a set of requirements must be met for the attack to work:

• The attacker must already have access to the proxy. Squid describes Squidbleed as an attack carried out by a trusted client, meaning a user with access to the proxy (this can be as simple as a machine connected to a local network).
• Only cleartext traffic is exposed. Standard HTTPS travels through a CONNECT tunnel that Squid does not decrypt. The affected traffic includes plain HTTP and configurations where Squid terminates TLS to inspect traffic (SSL inspection).
• The proxy must be able to reach an attacker-controlled FTP server on port 21. However, the bad news is that FTP support and this port are part of the default configuration.

At this stage, no in-the-wild exploitation has been reported, but exploit code is available on GitHub.

How to protect yourself: patch or disable FTP

According to Calif.io’s disclosure timeline, the fix was merged into the development branch on April 19, then into the v7 branch on May 17, and Squid 7.6 was released on June 8, 2026. The patch reportedly fits in one line: add the presence of the NUL terminator before calling strchr.

Be careful, though: according to The Hacker News, there appears to be an inconsistency regarding the exact version that includes the security fix for the SquidBleed flaw. So beyond checking only the version number, verify that the patch is present in the FtpGateway.cc file. This is even more important because distributions ship their own builds. Debian, for example, still ships Squid 5.7.

Calif.io researchers, for their part, recommend disabling FTP. "As a preventive measure, you should really disable the FTP protocol at this stage unless you have a specific and unusual need for it. Chrome, and by extension all Chromium-based browsers, stopped supporting FTP several years ago; as a result, most organizations using Squid now see virtually no legitimate FTP traffic."

This disclosure is part of a broader trend we have been tracking for several months: large-scale AI-assisted vulnerability discovery. Here, it was indeed the Claude Mythos Preview model that helped the researchers. A reminder that it had found more than 10,000 security flaws in a single month. The same phenomenon had already caused a veritable tsunami of CVEs across major projects in 2026.

For readers new to Squid, IT-Connect offers a refresher on the basics with proxy and reverse proxy servers for beginners as well as a guide to setting up a transparent Squid proxy on PfSense.

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio