29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests

A heap over-read in the Squid web proxy can leak another user's cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. The bug traces to a 1997 FTP-parsing change and is still live in Squid's default configuration. Researchers at Calif.io disclosed it in June and named it Squidbleed (

Reported facts: Squidbleed (CVE-2026-47729) is a decades‑old heap over‑read bug in the Squid FTP directory‑listing parser that can leak another user’s cleartext HTTP request data, including credentials and session tokens, to any attacker already permitted to use the same proxy.[1][4][7] The issue affects Squid’s default configuration across many versions and primarily threatens shared proxy environments (corporate networks, schools, ISPs, public Wi‑Fi), though the impact is limited to cleartext HTTP and TLS‑terminating setups, not opaque HTTPS CONNECT tunnels.[1][4][7] CyberSE.AI analysis: For AI systems that rely on upstream proxies like Squid to fetch training data, API responses, or model inputs, Squidbleed represents an AI supply chain data‑leakage risk: sensitive prompts, API keys, session cookies, or proprietary datasets transiting the proxy could be exposed to other authorized users on the same network. Organizations should inventory where AI workloads depend on Squid or embedded Squid-based appliances, update or mitigate (e.g., disable FTP), and incorporate proxy components into their AI SBOM and supply‑chain risk assessments to prevent indirect leakage of model inputs