A newly disclosed flaw in the Squid proxy, nicknamed Squidbleed, can leak HTTP request data through its FTP parser, affecting versions that have been in use since the late 1990s. Researchers at Calif.io detailed the issue here and said a patch was made available in April 2026.
The vulnerability tracked as CVE-2026-47729 is an out-of-bounds read in Squid’s FTP parser, which lets the process read memory beyond the intended buffer. This can return fragments of earlier HTTP requests, including headers and possibly plaintext credentials, when the proxy handles unencrypted traffic. The flaw has a CVSS score that has not been published.
A second issue, CVE-2026-50012, is a heap-based buffer overflow in the same component. It could allow an attacker to overwrite memory and potentially execute arbitrary code if they control a malicious FTP server. Both flaws are addressed in Squid version 7.6, which was released alongside the security advisory reported by SecurityOnline.
There have been no public reports of active exploitation or identified threat actors leveraging these bugs. Nevertheless, the exposure is significant in environments where Squid terminates TLS and forwards unencrypted HTTP to backend servers, as stale memory may contain sensitive data from prior sessions. Shared networks or guest Wi‑Fi setups that allow users to run their own FTP servers raise the chance that an attacker could trigger the leak.
Defenders should immediately upgrade to Squid 7.6 or apply the backported patches provided by their distribution. If FTP functionality is not required, disabling the ftp:// scheme in squid.conf removes the attack surface entirely. Limiting outbound FTP connections to trusted servers and monitoring proxy logs for unexpected FTP requests can also help detect attempted exploitation.
Organisations that rely on Squid for TLS termination should consider moving to end‑to‑end encryption or using a separate front‑end that does not decrypt traffic, thereby limiting the amount of plaintext that could linger in memory. Regularly reviewing patch levels and subscribing to vendor security mailing lists ensures that future updates are applied promptly.