What happened
Security researchers from Calif.io disclosed a memory leak vulnerability in Squid Proxy that has existed in the software since 1997.
Squid is a widely used open-source web proxy used to reduce bandwidth and improve response times through caching. It supports HTTP, HTTPS, FTP, and other protocols.
The vulnerability, dubbed Squidbleed, has been compared to the OpenSSL Heartbleed flaw because it can leak memory from affected systems. Officially tracked as CVE-2026-47729, the bug causes Squid’s FTP parser to read beyond the boundary of a memory buffer and into a region that may contain uncleared HTTP request data from a previous user.
Exploitation requires the attacker to control an FTP server that is reachable from the proxy. The biggest risk is in shared proxy environments, such as corporate networks, schools, and public Wi-Fi hotspots, where multiple users route traffic through the same Squid instance.
An attacker with access to such an environment could silently capture HTTP request data belonging to other users. Potentially exposed information may include authentication credentials, session tokens, API keys, and other sensitive data sent through cleartext HTTP traffic.
The exposure is limited to cleartext HTTP traffic and deployments where Squid terminates TLS. Standard HTTPS connections relayed as opaque Connect tunnels are not affected.
A patch was merged into Squid version 8 in April 2026 and shipped in version 7.6 in June 2026. Organizations can also reduce risk by disabling FTP support if it is not needed.
Who is affected
Organizations using Squid Proxy may be affected, especially shared proxy environments where multiple users send traffic through the same Squid instance.
Corporate networks, schools, public Wi-Fi providers, and other environments that use Squid for caching or proxying may face higher risk if FTP support is enabled and cleartext HTTP traffic passes through the proxy.
Users whose HTTP traffic is routed through a vulnerable Squid instance could have request data exposed to an attacker who controls a reachable FTP server. Standard HTTPS tunnels are not affected, but sensitive data can still appear in cleartext HTTP traffic in some enterprise or legacy environments.
Why CISOs should care
Squidbleed matters because it affects a long-standing open-source proxy component that may be embedded in network environments and forgotten over time. A flaw that has existed since 1997 can remain present in modern deployments if the software is not updated or if legacy proxy configurations are left in place.
For CISOs, the shared proxy risk is especially important. In environments where many users route traffic through the same proxy, a memory leak can expose data from one user to another attacker-controlled flow.
The vulnerability also reinforces why cleartext HTTP should be eliminated wherever possible. Even when the bug does not affect standard HTTPS tunnels, credentials, session tokens, API keys, or internal application traffic sent over HTTP may still be exposed.
The FTP requirement also creates a practical mitigation opportunity. If FTP support is unnecessary, disabling it can reduce the attack surface while patches are applied and validated.
3 practical actions
- Upgrade Squid to a patched version: The vulnerability was fixed in Squid version 7.6 and the patch was also merged into Squid version 8. CISOs should identify Squid deployments, verify versions, and prioritize updates for shared proxy environments.
- Disable FTP support where it is not needed: Exploitation requires an attacker-controlled FTP server reachable from the proxy. Organizations that do not require FTP support should disable it to reduce exposure.
- Reduce or eliminate cleartext HTTP through proxies: Squidbleed can expose HTTP request data such as credentials, session tokens, and API keys. Security teams should identify internal services, legacy applications, and user workflows still using HTTP and migrate them to HTTPS where possible.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.