Dateline: June 23, 2026
A Squid Proxy Bug From 1997 Just Came Back to Bite Everyone
A bug that sat quietly in Squid proxy software for 28 years can hand an attacker other people’s login data. Researchers call it Squidbleed, and they say it works a lot like Heartbleed, the OpenSSL flaw that rattled the internet back in 2014. It was found with the help of an AI model, which makes the story worth a closer look.
What Happened
Researchers at Calif.io disclosed Squidbleed on June 22, 2026. It carries the tracking number CVE-2026-47729 and has lived in Squid since 1997. Squid is a free, open source web proxy used by companies, schools, and public networks to cache traffic and speed up requests. The flaw sits in how Squid reads FTP responses.
Its FTP parser reads past the edge of a memory buffer and pulls in leftover data from a region that may still hold another user’s HTTP request. That leftover data can include passwords, session tokens, and API keys.
An attacker needs to control an FTP server the proxy can reach, then trick the parser into spilling what it should not. One detail stands out: the bug was discovered with the aid of Anthropic’s Claude Mythos AI model. The same team recently used AI to find a flaw in OpenSSL and a denial of service trick called HTTP/2 Bomb.
The Impact
The real danger shows up on shared proxies. Picture a corporate network, a university, or a coffee shop where dozens of people route traffic through one Squid box. On those setups, an attacker on the same network could quietly skim request data belonging to everyone else passing through.
There is a limit worth knowing. The leak only touches cleartext HTTP traffic and setups where Squid ends the TLS connection itself. Plain HTTPS that passes through as a sealed tunnel stays safe. That shrinks the blast radius, but plenty of older enterprise systems still send credentials over cleartext HTTP, so the risk is far from theoretical.
How to Avoid This
The fix is already out, so the main job is getting it deployed. Update Squid to version 7.6, which shipped the patch in June 2026. The fix was also merged into the version 8 line back in April. If your setup does not need FTP, turn off FTP support entirely, which closes the door on its own.
For shared networks, push sensitive traffic to HTTPS so credentials never travel in the clear. And check whether your proxy terminates TLS, since that is the setup most exposed here.
Don’t Let Old Code Become Today’s Breach
Squidbleed hid for 28 years because nobody was looking in the right place. That is the trouble with flaws baked deep into trusted software. They do not trip alarms, and a routine scan often walks right past them. Secure.com helps teams catch the gaps that sit quietly inside their stack, before someone else finds them first.
- Spot risky proxy and FTP setups before an attacker reaches them.
- Watch shared environments where one weak box can expose many users.
- Test your own systems the way an attacker would, not just against a signature list.
- Get a clear, proven path to the patch that matters most right now.
- Keep a human in the loop on the fixes that carry the highest stakes.
