Squidbleed: 29-year-old Squid proxy bug leaks cleartext HTTP requests (CVE-2026-47729)
Tags Infrastructure · OSS
A 29-year-old heap over-read bug in the Squid web proxy (CVE-2026-47729) can leak cleartext HTTP credentials from any user sharing the same proxy, and is active in the default configuration. The vulnerability traces back to a 1997 FTP-parsing change. Researchers at Calif.io disclosed the bug in June 2026. The bug allows any authenticated proxy user to read another user's cleartext HTTP requests including credentials and session tokens. Present in default Squid configuration, it potentially affects millions of deployments worldwide.
Technical significance
Squidbleed demonstrates that foundational internet infrastructure can harbor critical vulnerabilities for decades without discovery. Organizations running Squid proxies in default configuration must patch immediately, as the bug allows credential theft without any special privileges beyond proxy access.