Introduction
On June 23, 2026, security researchers at Calif Security Research published their analysis of CVE-2026-47729 — a heap buffer overread vulnerability in Squid Proxy that had been present in the codebase since a commit in January 1997.
They named it Squidbleed.
The vulnerability is real, the affected deployment surface is large, and the discovery method is worth understanding: Calif researchers found this bug using Claude Mythos Preview — an AI model that identified a memory pattern in Squid’s FTP parser that decades of human code review had missed.
This article explains what the vulnerability is, how it works technically, who is affected, and exactly what to do.
What Happened
Calif Security Research disclosed Squidbleed on June 23, 2026, following a coordinated disclosure process with the Squid development team. The vulnerability is a heap buffer overread in Squid’s FTP directory listing parser.
The discovery came from an AI-assisted code audit. Researchers at Calif used Claude Mythos Preview to systematically review Squid’s codebase for memory management patterns. The model identified an unusual strchr edge case in the FTP parser — a function that processes responses from FTP servers — where pointer arithmetic could cause the parser to read beyond the boundary of a memory buffer into adjacent memory containing data from previous HTTP requests.
The bug traces to a commit from January 1997. Squid’s FTP support predates most modern network security practices, SSL/TLS ubiquity, and the security review processes used today. It survived because FTP parsing is low-priority code that rarely changes and rarely gets close attention.
The vulnerability was filed as CVE-2026-47729. The name Squidbleed was chosen by the researchers as a reference to Heartbleed — the 2014 OpenSSL vulnerability with a similar mechanism: a bug that causes a system to return more memory than it should, leaking data belonging to other users.
An important correction was posted by Squid maintainer Amos Jeffries after the initial disclosure: Squid 7.6 did not ship the Squidbleed fix. The real patch is scheduled for Squid 7.7. Organizations that upgraded to 7.6 expecting to be protected are not.
Why It Matters
Squid Proxy is not a niche product. It is one of the most widely deployed open-source proxy servers in the world — used in corporate networks, university campuses, ISPs, CDN infrastructure, and cloud environments. It handles HTTP caching, content filtering, and outbound traffic management at scale.
The vulnerability leaks data from other users’ HTTP requests on the same proxy. In a shared proxy environment — a corporate network, a university, a managed hosting environment — that means an attacker who can reach the proxy can silently collect HTTP request data from other users, including:
- Authorization headers
- API keys passed in HTTP headers
- Session tokens
- Cleartext credentials sent over HTTP
- Any data in a cleartext HTTP request
The attack requires the attacker to control an FTP server reachable from the proxy. Most corporate networks allow outbound FTP connections by default. The attacker sends a malformed FTP directory listing response that triggers the overread, causing Squid to return adjacent memory from a previous user’s request.
HTTPS traffic is not directly exposed. When Squid proxies HTTPS traffic in CONNECT tunnel mode — which is the default for most HTTPS requests — it does not decrypt the content. The tunnel is opaque. However, organizations that run Squid as a TLS-terminating proxy (intercepting and re-encrypting HTTPS) are fully exposed, because in that configuration Squid holds the decrypted request content in memory.
Industry Impact
Shared proxy environments are the highest risk. Corporate networks, universities, and public Wi-Fi hotspots that route traffic through Squid Proxy expose one user’s traffic to any other user who can exploit this vulnerability. In enterprise environments, this could mean an attacker with internal network access can capture API keys and session tokens from colleagues’ HTTP traffic.
Legacy Squid deployments are common. Many organizations run Squid versions that are years old. Automated patch management for proxy infrastructure is less common than for operating systems or application frameworks. The real number of vulnerable Squid instances globally is likely large.
ISP and telco deployments. Some ISPs and telecommunications providers use Squid for transparent HTTP caching. These deployments, if vulnerable, expose customer traffic. The scale of potential exposure in these environments is orders of magnitude larger than enterprise deployments.
The AI-discovery angle sets a precedent. Squidbleed was found by AI auditing a legacy codebase. This is not the last time this will happen. Every widely deployed piece of open-source network software written before 2010 is now a candidate for AI-assisted audit — by defenders and by attackers. Organizations that rely on the assumption that “no one has found a bug in this old code” need to update that assumption.
Developer Impact
Check your Squid version immediately. The patch ships in Squid 7.7. Version 7.6 does NOT contain the fix, despite initial reports suggesting otherwise. If you are running any version below 7.7, the FTP mitigation is your immediate protection.
Apply the FTP mitigation now. Disable FTP proxying in Squid. The configuration change is straightforward. Chromium dropped FTP support years ago, and most enterprise traffic carries essentially no legitimate FTP requests through a corporate proxy. Disabling FTP eliminates this attack surface entirely with no meaningful operational impact for most deployments.
To disable FTP in Squid, add the following to squid.conf:
acl FTP proto FTP
http_access deny FTP
Audit TLS-terminating configurations. If your Squid deployment is configured to intercept and decrypt HTTPS traffic (SSL bump / TLS inspection), your exposure is higher than standard tunnel-mode deployments. Review these configurations carefully and prioritize upgrading to Squid 7.7.
Review your proxy architecture. This vulnerability is a good prompt to review whether your proxy deployment follows the principle of least privilege — whether the proxy runs with minimal permissions, whether its network access is segmented, and whether it logs enough to detect anomalous behavior.
Business Impact
Enterprise security teams should treat this as a critical priority. A vulnerability that leaks API keys and session tokens from a shared proxy means a single exploit can yield credentials that provide access to business systems. The blast radius depends on what traffic flows through the proxy, but in enterprise environments it can be significant.
Managed service providers and hosting companies. Organizations that provide managed proxy services to customers need to audit their Squid deployments and communicate clearly with customers about patching timelines. If customer traffic flows through a vulnerable Squid instance, this is a data protection issue with regulatory implications in jurisdictions covered by GDPR, CCPA, and similar frameworks.
Compliance and incident response. Organizations in regulated industries — finance, healthcare, government — that run Squid should evaluate whether this vulnerability, if exploited, would trigger breach notification obligations. Given that the vulnerability can expose API keys and session tokens from other users, the answer is likely yes in many jurisdictions.
Future Outlook
Squid 7.7 is the authoritative fix. Track the Squid release schedule and upgrade as soon as 7.7 is available. In the meantime, the FTP disable mitigation is sufficient for the overwhelming majority of deployments.
More AI-discovered vulnerabilities in legacy software are coming. Squidbleed will not be the last vulnerability found in production network software through AI-assisted code auditing. The pattern — systematically auditing legacy codebases using LLMs that can reason about memory management — will be applied to every widely deployed piece of infrastructure software. Curl, Apache, Nginx, Postfix, BIND — all of them have code that was written before current security review practices and reviewed by humans with limited time and attention. AI changes that equation.
The coordinated disclosure process worked. Calif researchers followed responsible disclosure: they reported to the Squid team, coordinated the patch timeline, and published after a fix was available (even if the 7.6 patch turned out to be incomplete). This is the correct model. The fact that the fix announcement had an error — claiming 7.6 contained the patch when it did not — is a reminder that patch communications should always be verified against the actual code change, not just the release notes.
FAQ
Q: What is Squidbleed? Squidbleed is the name given to CVE-2026-47729, a heap buffer overread vulnerability in Squid Proxy’s FTP directory listing parser. It allows an attacker who controls an FTP server reachable from the proxy to trigger a memory read beyond the buffer boundary, potentially leaking HTTP request data from other users on the same proxy.
Q: Does this affect HTTPS traffic? Standard HTTPS proxying in tunnel (CONNECT) mode is not directly exposed — the proxy relays an opaque encrypted connection without seeing the content. TLS-terminating configurations (SSL bump / HTTPS inspection) are fully exposed because the proxy holds decrypted content in memory.
Q: Which Squid versions are vulnerable? All versions of Squid in default configuration are vulnerable. The fix is in Squid 7.7. Note: Squid 7.6 was initially reported to contain the fix, but Squid maintainer Amos Jeffries confirmed the fix was not included in 7.6. The real patch is in 7.7.
Q: What is the immediate mitigation if I cannot upgrade yet? Disable FTP proxying in Squid by adding acl FTP proto FTP and http_access deny FTP to squid.conf and restarting Squid. This removes the vulnerable code path entirely. Most deployments carry no legitimate FTP traffic and will see no operational impact.
Q: How was Squidbleed discovered? Calif Security Research used Claude Mythos Preview — an AI language model — to audit the Squid codebase for memory management patterns. The model identified an unusual strchr edge case in the FTP parser that causes a heap buffer overread. The bug dates to a January 1997 commit.
Q: What data can an attacker access if they exploit this? The attacker can potentially read HTTP request data from other users on the same proxy, including authorization headers, API keys, session tokens, and cleartext credentials. The specific data depends on what other users’ requests contain and whether they are sending cleartext HTTP.
Q: Is my organization likely to be running Squid Proxy? Squid is commonly deployed in corporate networks for outbound web filtering and caching, in ISPs for traffic management, in universities, and in cloud environments. If your organization runs Linux-based network infrastructure, check whether Squid is installed and running. In Ubuntu/Debian: systemctl status squid. In RHEL/CentOS: systemctl status squid.
Q: Does this affect cloud proxy services or only on-premise Squid? This affects on-premise and self-hosted Squid deployments. Managed cloud proxy services provided by vendors use their own infrastructure and may or may not run Squid — check with your provider. Cloud-native forward proxy services (AWS Network Firewall, Zscaler, etc.) are not affected as they do not use Squid.
Q: Should I report this to my security team even if I don’t know if we run Squid? Yes. Forward this information to your security team and ask them to check whether Squid is in your environment. Proxy infrastructure is often managed separately from application infrastructure and may not appear in standard software inventories.
Q: What does “heap buffer overread” mean? A heap buffer overread occurs when a program reads memory beyond the end of an allocated buffer on the heap. In Squid’s case, the FTP parser allocates a buffer for directory listing data and then reads past its end due to a pointer arithmetic error, returning data from adjacent memory — which may contain a previous user’s HTTP request. It is similar in mechanism to Heartbleed, where OpenSSL returned more data than the requester was entitled to.
Analyst Perspective
The most interesting thing about Squidbleed is not the vulnerability itself — memory management bugs in C are expected, and a 29-year-old codebase will contain them. The interesting thing is how it was found.
Calif researchers used an AI model to do something security teams have never had the capacity to do systematically: read every function in a large, complex C codebase and reason about whether the memory management logic is correct. Human reviewers reviewing Squid’s FTP parser would typically focus on the logic of what the parser does, not whether every pointer arithmetic operation is bounded correctly. The AI approached it without assumptions about what the code was supposed to do, identified an edge case, and flagged it.
This means two things for the industry. First, every widely deployed piece of network software written in C or C++ before 2015 is now a candidate for this kind of audit. Not because the bugs are new, but because the tooling to find them systematically is new. Second, the organizations that run this software — corporate IT, universities, ISPs — are now playing defense against an attacker capability that did not exist two years ago.
Squidbleed will likely not be the last CVE attributed to AI-assisted discovery. The question for security teams is whether they are running those audits on their own infrastructure before someone else does.
Key Takeaways
- Squidbleed (CVE-2026-47729) is a 29-year-old heap buffer overread in Squid Proxy’s FTP parser, publicly disclosed June 23, 2026.
- It was discovered using Claude Mythos Preview — an AI model that identified a memory management flaw in the FTP parser that human reviewers missed for decades.
- The vulnerability leaks HTTP request data from other users on the same proxy — including API keys, session tokens, and authorization headers.
- Squid 7.6 does NOT contain the fix. The correct patch is in Squid 7.7.
- Immediate mitigation: disable FTP proxying in Squid. For most deployments this eliminates the attack surface with zero operational impact.
- TLS-terminating (SSL bump) Squid configurations have higher exposure than standard tunnel-mode deployments.
- This disclosure signals that AI-assisted auditing will surface more legacy vulnerabilities in widely deployed network software — in both defensive and offensive contexts.
Continue Learning
- AI-Accelerated Cyberattacks: How AI Is Shrinking the Defender’s Response Window
- What is MCP? Model Context Protocol Explained
- What is Claude Fable 5?
- What is RAG? Retrieval-Augmented Generation Explained
About GAVIHOS
GAVIHOS helps developers, founders and technology enthusiasts understand AI, software engineering and emerging technologies through practical guides, tutorials and industry analysis.
Stay Updated
Follow GAVIHOS for practical AI, technology and developer-focused insights.