logo

Squidbleed: 29-Year-Old Squid Bug Leaks User Credentials

ID: 7ed04a5f-c025-5838-aff4-0b0d0310ed72

STIX ID: report--7ed04a5f-c025-5838-aff4-0b0d0310ed72

Feed Name: Security Affairs

Threat Score
70/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: Pierluigi Paganini

...
...

Squidbleed (CVE-2026-47729) is a 29-year-old memory-overread bug in Squid Proxy's FTP listing parser that can return stale 4KB buffer contents — including other users' HTTP Authorization headers, tokens, and cleartext request data — to an attacker controlling an FTP server reachable by the proxy; a patch was released (Squid 7.6/merged into 8) and disabling FTP removes the attack surface.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.