Squidbleed is a Heartbleed-style memory leak vulnerability in the Squid Proxy FTP parser that allows reading beyond buffer boundaries into memory regions containing uncleared HTTP request data from previous users. Exploitation requires an attacker-controlled FTP server reachable by the proxy. The vulnerability primarily threatens shared proxy environments such as corporate networks, schools, and public Wi-Fi hotspots, where multiple users share the same Squid instance. Only cleartext HTTP traffic is exposed; HTTPS connections tunneled via CONNECT are not affected. The vulnerability was discovered with AI assistance and patched in Squid version 7.6 (June 2026) with the fix merged in version 8 (April 2026). Mitigation includes applying the patch or disabling FTP support if not needed.

An attacker controlling an FTP server reachable from a vulnerable Squid proxy can exploit this flaw to read sensitive HTTP request data from other users routed through the same proxy. This may include authentication credentials, session tokens, and API keys transmitted in cleartext HTTP. The exposure is limited to unencrypted HTTP traffic and does not affect HTTPS traffic tunneled through the proxy. The vulnerability poses a medium risk primarily in shared proxy environments where multiple users' traffic is proxied together.

A patch fixing this vulnerability is available and was shipped in Squid version 7.6 (June 2026), with the fix merged in version 8 (April 2026). Users should upgrade to at least version 7.6 to remediate the issue. If FTP support is not required, disabling FTP support in Squid provides an effective mitigation. No other specific mitigations are indicated by the vendor advisory.