News

CVE-2026-47729 Squidbleed: Is Your Proxy Leaking Passwords? How to Check and Fix It

by Rebecca Sutton
by Rebecca Sutton

If your organisation uses Squid Proxy, the chances are it is vulnerable right now. The flaw is tracked as CVE-2026-47729 and is known as the Squidbleed vulnerability. It leaks memory from other users’ HTTP sessions, exposing passwords, API keys, and session tokens. The fix is coming in Squid 7.7, but no patched release is out yet. There is a simple workaround you can apply today.

Does the Squidbleed Vulnerability Affect Your Proxy?

Almost certainly, yes. Squidbleed affects every version of Squid. It is active in a default installation because FTP support is on by default. TCP port 21 is also in Squid’s default Safe_ports list. Unless your team has explicitly removed FTP access, your proxy is exposed.

Not sure? Ask your infrastructure team to check the current squid.conf. If port 21 appears in Safe_ports with no extra rule blocking it, you are affected. Most organisations that installed Squid and never reviewed the defaults are in this position.

How the Flaw Works

The bug sits in Squid’s FTP gateway. That is the part of the software that fetches FTP content on behalf of users behind the proxy. When Squid parses a directory listing from a malicious FTP server, a C string handling error causes the code to overshoot the end of a 4 KB heap buffer. Those buffers are reused between sessions. So they can hold leftover data from earlier HTTP requests.

Researchers traced the problem to a misuse of the strchr() function. Under C11 rules, that function returns a pointer to the null terminator rather than NULL. So the loop that skips whitespace never stops. The pointer walks into adjacent heap memory, reading up to 4,065 bytes beyond the buffer end.

This is not a theoretical scenario. The code path runs whenever a Squid proxy sends a request to an FTP server that an attacker controls.

What Data Could an Attacker See?

Squid reuses the same 4 KB buffers for both HTTP and FTP processing. Stale data from recent HTTP sessions can still sit in heap memory when the overread is triggered. The leaked content may include:

  • HTTP Authorization headers with Basic Auth credentials
  • Session cookies and API keys passed in request headers
  • Custom application headers carrying tokens or passwords

HTTPS traffic is not at risk. Squid relays HTTPS connections as opaque tunnels via the CONNECT method. The encrypted payload never enters the FTP gateway. The exposure applies to cleartext HTTP requests and any setup where Squid terminates TLS on behalf of users.

Disable FTP Proxying Right Now

The Squidbleed vulnerability fix will ship in Squid 7.7, which has not yet been released. The patch was merged into the codebase in April and May 2026, per the oss-sec disclosure thread. But the release is not yet out.

The interim mitigation is to remove FTP from Squid’s configuration. In squid.conf, remove or comment out the line that permits port 21 in Safe_ports:

# Remove or comment out this line:
# acl Safe_ports port 21

Restart Squid after making the change. Users will no longer be able to reach FTP servers through the proxy. In most corporate environments, nobody is doing that anyway. Confirm with your team first, but this is a low-risk step with a clear security payoff.

If FTP proxying is genuinely in use, restrict which FTP servers Squid can reach. Limiting outbound FTP to a known trusted list stops an attacker directing Squid to a server they control.

What About Squid 7.6?

Squid 7.6 was released on 8 June 2026. It fixes a separate issue: CVE-2026-50012, a heap buffer overflow in the cache_digest component. That flaw can crash Squid and may allow code execution. It only affects builds compiled with --enable-cache-digests, a non-default flag, so its reach is narrower.

Upgrading to 7.6 resolves CVE-2026-50012 but does not fix the Squidbleed vulnerability. Some early reports said 7.6 included the Squidbleed patch. A Squid project maintainer corrected this on oss-sec: the fix ships in 7.7. Apply 7.6 for the cache_digest fix, then watch for 7.7.

Review Your Other Proxy Defaults

Squidbleed is a reminder that proxy software rarely gets the security attention it deserves. Squid’s default configuration opens a range of ports and protocols that most organisations never actively chose. While you have squid.conf open, check the full Safe_ports list. Make sure every permitted port has a current business reason. The same discipline applies to TLS inspection settings, log retention, and update cycles.

Proxy software sits at the edge of your outbound network traffic. It deserves the same review cycle as your perimeter firewall. If you have not looked at your Squid configuration since it was first deployed, now is a practical time to do so.

Aardwolf Security offers network security reviews that cover exactly this kind of default-configuration exposure. Include infrastructure components in your regular vulnerability assessments, not just web applications. To discuss scoping a review, get in touch.

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

Why the Gravity SMTP Vulnerability Should Change How You Think About Plugin Credentials

Is Your EDR Actually Running? How Ransomware Groups Disable It Before You Notice

FortiBleed Shows Patching Is Not Enough to Protect Your Fortinet VPN

What the NCSC’s 75% State Threat Figure Means for Your Business

Fortinet FortiSandbox Vulnerabilities: What IT Teams Need to Do Right Now

SearchLeak Shows Why Microsoft 365 Copilot Is Now Attackers’ Most Valuable Target

OptinMonster Backdoor: What to Check If Your WordPress Site Runs Awesome Motive Plugins

Apple M1 Vulnerability Research Was Lagging. MIT’s Fractal OS Changes That

Your VPN Is Their Front Door: How The Gentlemen Ransomware Targets UK Businesses

Oracle’s 13-Day Silent Window Is the Real Story Behind the PeopleSoft Breach