As reported by Security Week, a memory leak vulnerability named Squidbleed has been disclosed in the widely used open-source web proxy software Squid. This vulnerability, officially tracked as CVE-2026-47729, has reportedly existed in the software since 1997.Squidbleed allows an attacker to read beyond the boundary of a memory buffer within Squid's FTP parser. This could expose sensitive data from previous user requests, including authentication credentials, session tokens, and API keys. The vulnerability poses the greatest risk in shared proxy environments like corporate networks, schools, and public Wi-Fi hotspots, where multiple users share a single Squid instance. Exploitation requires the attacker to control an FTP server accessible from the proxy. The exposure is limited to cleartext HTTP traffic and deployments where Squid terminates TLS; standard HTTPS connections are not affected.Security researchers at Calif.io discovered the vulnerability with the aid of Anthropic's Claude Mythos AI model. A patch was merged into Squid version 8 in April 2026 and released in version 7.6 in June 2026. Disabling FTP support entirely can mitigate the risk if it is not needed.Source: Security Week
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds