SECURITY researchers from Calif.io have uncovered a significant memory leak vulnerability in the Squid Proxy, dubbed 'Squidbleed' (CVE-2026-47729), which has existed since 1997. This flaw allows the FTP parser in Squid to read beyond memory boundaries, potentially exposing sensitive HTTP request data from previous users. Exploitation of this vulnerability requires control over a reachable FTP server, making it especially risky in shared network environments.
While the exposure is limited to unencrypted HTTP traffic and systems where Squid terminates TLS, sensitive credentials can still be vulnerable in legacy systems. A patch was released in April 2026, and disabling FTP support can help mitigate risk. This discovery was aided by the AI model, Claude Mythos.