A newly discovered security flaw that remained hidden in the Squid web proxy for nearly 30 years could allow one user to secretly view parts of another user’s internet requests, potentially exposing passwords, login sessions, API keys, and other sensitive information.
The vulnerability, called Squidbleed (CVE-2026-47729), was discovered with assistance from Anthropic’s Claude Mythos Preview, which the security researcher credited with helping identify the long-standing bug.
How Squidbleed Works
Squid is a popular web proxy used by businesses, schools, and other organizations to manage internet traffic.
The flaw affects Squid’s built-in FTP feature. By setting up a specially crafted FTP server, an attacker who already has permission to use the same proxy can trick Squid into revealing leftover pieces of data from another user’s earlier web requests.
This happens because Squid fails to completely clear some memory before reusing it, allowing small fragments of another user’s information to accidentally leak.
Who is at Risk?
The vulnerability cannot be exploited by someone randomly on the internet.
Instead, the attacker must already have access to the same Squid proxy and operate an FTP server that the proxy can connect to. Since FTP support is enabled by default, the issue is most relevant in shared environments such as offices, schools, universities, and public Wi-Fi networks where multiple people use the same proxy service.
What Information Could Be Exposed?
The flaw only affects internet traffic that Squid is able to read.
Regular HTTPS websites are usually protected because their traffic remains encrypted as it passes through the proxy. However, the vulnerability can expose unencrypted HTTP traffic or HTTPS traffic in environments where the proxy is configured to decrypt and inspect secure connections.
Depending on the traffic, the leaked information could include usernames, passwords, session cookies, authentication tokens, API keys, and other sensitive data.
Risk is Limited
The vulnerability has received a moderate severity rating with a CVSS score of 6.5.
Although an attacker needs valid access to the affected proxy, victims do not need to click anything or take any action for their information to be exposed.
The flaw only allows information to be viewed. It cannot be used to modify data or crash the proxy server.
Patch Status
There has been some confusion over which version of Squid fully fixes the vulnerability.
A Squid developer initially said the patch was included in version 7.6 before later stating it would arrive in version 7.7. However, a Debian security developer noted that the fix appears to already be present in Squid 7.6.
Because of this uncertainty, administrators should verify that their installed package includes the security patch rather than relying only on the version number. Some Linux distributions may also provide the fix through backported security updates, even if they use an older Squid release.
Squid 7.6 also fixes an unrelated memory corruption vulnerability tracked as CVE-2026-50012.
Disable FTP If You Don’t Need It
Researchers recommend disabling FTP support if it is not required.
Most modern web browsers stopped supporting FTP years ago, and many organizations no longer rely on the protocol. Disabling FTP removes the attack path used by Squidbleed, regardless of whether the latest software update has been installed.
Stay Connected with ProPakistani
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
