TL;DR: In June 2026, Calif.io disclosed Squidbleed (CVE-2026-47729), a heap buffer over-read in Squid Proxy's FTP gateway that leaks raw heap memory, including other users' HTTP Authorization headers, cookies, and session tokens, in the same Heartbleed-style pattern. The triggering bug traces back to a Squid commit from January 1997, making it 29 years old, and proof-of-concept code is already public, per The Hacker News. For NC small businesses running Squid as a forward proxy, the action this week is simple: disable the FTP protocol in squid.conf, block outbound TCP 21 at the firewall, and stop trusting any vendor claim that Squid 7.6 closed the hole.
Key takeaway: Squidbleed is a "trusted client" attack. Any user already permitted to send traffic through your Squid Proxy, including guest Wi-Fi users at an NC manufacturer, a Greensboro coworking space, or a public library, can point the proxy at a hostile FTP server and harvest other clients' cleartext HTTP credentials from heap memory. The defense is operational, not a single patch.
Need a same-week Squid Proxy audit and FTP-disable change window? Preferred Data Corporation has run managed IT and cybersecurity for NC small businesses since 1987 from High Point. Call (336) 886-3282 or book a proxy hardening review.
What is Squidbleed (CVE-2026-47729) and why does it matter?
Squidbleed is a heap buffer over-read in Squid Proxy's FTP gateway code, disclosed by Calif.io in June 2026 and tracked as CVE-2026-47729. The root cause is a classic C bug: null-terminated strings, pointer arithmetic, and a strchr edge case that walks past the end of an allocated buffer and reads adjacent heap memory back to the requesting client. The pattern mirrors Heartbleed, hence the name.
Three facts a NC SMB owner should write down:
- The bug is 29 years old. Per SecurityWeek and The Hacker News, the vulnerable code path traces back to a Squid commit from January 1997. It has been sitting in the FTP gateway through every Squid major version since.
- It leaks the contents of other users' HTTP requests. Per Calif.io and runZero, the leaked heap memory commonly contains Authorization headers, session cookies, and bearer tokens that other clients of the same proxy sent in their HTTP requests. Anything traversing the proxy in cleartext, or that the proxy terminates TLS for, is in scope.
- Proof-of-concept code is already public; no in-the-wild exploitation has been reported. Per SC World, as of June 22, 2026, there are no confirmed exploited-in-the-wild reports, but a working PoC is published. That window closes fast.
The exposure shape matters. Most of today's web traffic is HTTPS, which Squid relays as an opaque CONNECT tunnel that the proxy cannot see into. That traffic is not exposed by Squidbleed. What is exposed is anything still served over cleartext HTTP through the proxy, plus any deployment where Squid is doing TLS termination (a "TLS-terminating proxy" or "SSL bumping" setup), because in that mode the decrypted request is in Squid's memory and therefore in the leakable heap.
Which NC SMBs are actually running Squid Proxy?
More than most NC SMB owners think. Squid has been the default open-source forward web proxy for two decades and quietly shows up in many shared-network builds across the Piedmont Triad and the Research Triangle.
Realistic NC deployments to inventory:
- K-12 and community college networks across NC. Squid is a common content-filtering proxy on school networks from Winston-Salem to Raleigh, often paired with a categorization plugin. Student devices are explicitly the "trusted client" pool.
- MSP and small ISP shared infrastructure. Per-tenant or per-customer forward proxies for guest Wi-Fi, hotel networks, and event venues. If one customer can use the proxy, that customer can run the PoC against it.
- Manufacturer guest Wi-Fi and contractor networks. Many NC manufacturers in High Point, Greensboro, and the broader Piedmont Triad have a separate guest Wi-Fi that egresses through a Squid forward proxy. Contractors, sales visitors, and delivery drivers all count as trusted clients.
- Public Wi-Fi at NC coffee shops, libraries, coworking spaces, and conference venues. Anywhere a captive portal exists, there is often a proxy behind it doing logging or filtering.
- Shared NC office buildings, multi-tenant suites, and incubator spaces in High Point, Charlotte, and the Research Triangle. A single building-provided internet pipe with a forward proxy is a classic Squid use case.
- Lab networks, R&D segments, and OT/IT bridges. NC manufacturers using a Squid proxy as an air-gap-adjacent egress control for shop-floor or lab segments. The "trusted client" is a PLC engineer or a vendor laptop.
If you are not sure whether your network runs Squid, search your firewall logs for outbound TCP 3128, 8080, or 8081 from internal subnets to a single internal host, and check any Linux server running on port 3128. Shadow IT deployments (someone spun up Squid on a spare VM years ago) are the most common surprise.
What does the Squidbleed exploit chain look like?
The chain has four steps. None of them require zero-day infrastructure. The defenses live at the firewall, the proxy config, and the credential layer.
| Step | Attacker Action | SMB Failure Mode | Defense Layer |
|---|---|---|---|
| 1 | Attacker is, or becomes, a permitted client of the Squid proxy (guest Wi-Fi, school network, shared building) | Open ACLs, weak guest segmentation, no per-tenant proxy isolation | Network segmentation, separate guest proxy, allowlist clients |
| 2 | Attacker sends an HTTP request through the proxy targeting ftp://attacker.example/ (or a similar FTP URL) | Squid still has FTP gateway enabled (default in most installs) | squid.conf FTP-protocol disable, mime-type allowlist |
| 3 | The proxy fetches the directory listing from the attacker's FTP server; the over-read triggers and adjacent heap memory is appended to the response | Proxy reachable outbound on TCP 21; no egress filtering | Firewall egress rules blocking outbound TCP 21 from the proxy |
| 4 | Attacker parses the response for other clients' Authorization, Cookie, and bearer-token fragments and replays them against the original services | Cleartext HTTP still allowed; TLS-terminating proxy still in use; no token rotation playbook | Force HTTPS, drop TLS interception, credential rotation runbook |
Two implications NC SMB owners should not skip:
- An outbound firewall rule blocking TCP 21 from your proxy server kills step 3 cold. Most NC SMBs have near-zero legitimate outbound FTP traffic in 2026. Chromium dropped FTP support years ago, and modern file transfers run over HTTPS or SFTP (TCP 22). Block outbound TCP 21 from the proxy and the attacker cannot reach the hostile FTP server, regardless of what
squid.confsays. - TLS-terminating proxies are the worst-case exposure. If your Squid setup uses SSL bumping or any form of TLS interception (often deployed for "DLP" or "compliance" reasons), then decrypted HTTPS request contents, including modern API tokens and SaaS session cookies, are in Squid's heap and therefore potentially in the leak. This is the configuration that needs the most urgent attention.
What should NC SMBs running Squid do THIS WEEK?
Run a five-step plan inside seven days. None of it requires a capital project; all of it requires an honest inventory and a change window.
- Inventory every Squid instance, including shadow deployments. Search your firewall logs for internal traffic on TCP 3128, 8080, 8081, and any other proxy ports you have used. Check every Linux server in your estate for the
squidpackage or/etc/squid/directory. Ask your MSP, your security vendor, and your network team in parallel. The most dangerous Squid instance is the one nobody remembers running. Per runZero, unmanaged forward proxies are routinely the first thing missed in an inventory. - Disable the FTP protocol in
squid.conf(the highest-leverage fix). Add an ACL that denies theftpprotocol, for example:acl FTP proto FTPfollowed byhttp_access deny FTP, and reload Squid. This kills the vulnerable code path entirely. Per Calif.io, turning FTP off is the recommended mitigation, and the user impact is minimal because mainstream browsers no longer use FTP. - Restrict outbound TCP 21 at the firewall. Add a deny rule on the perimeter firewall blocking outbound TCP 21 from the proxy server's IP. This is belt-and-suspenders for step 2 and catches the case where someone re-enables FTP in
squid.conflater without telling you. While you are in the firewall, audit any other proxy egress ports you do not actively need. - Plan the Squid 7.7 upgrade path, and DO NOT trust 7.6 patch claims. Per the Squid maintainer Amos Jeffries, the Squidbleed fix was merged to the development branch in April and to v7 in May, but a public correction confirmed that Squid 7.6 did NOT actually ship the Squidbleed fix. The real fix is scheduled for Squid 7.7. If your vendor or distribution claims you are patched because you upgraded to 7.6, that claim is wrong. Verify the version, verify the patch ship list, and plan to roll 7.7 the week it is released. In the meantime, steps 2 and 3 carry the load.
- Rotate any credentials that may have transited cleartext HTTP through the proxy. For any HTTP-only internal application that traverses Squid, any TLS-terminating-proxy deployment, and any API token or session cookie that may have been in flight, rotate now. Prioritize anything still using long-lived bearer tokens (SaaS API integrations, legacy SOAP services, internal admin panels). Per SecurityWeek, the leak window is the entire period the vulnerable proxy was running with FTP enabled, which is potentially years.
Key takeaway: Disable the FTP protocol in
squid.conf, block outbound TCP 21 at the firewall, and rotate any credentials that may have transited cleartext HTTP through the proxy. Do those three things this week and Squidbleed is effectively closed for your NC SMB, even before Squid 7.7 ships.
Want a same-week proxy audit, FTP-disable change window, and credential rotation runbook? Call (336) 886-3282 or book a Squid Proxy hardening engagement.
What's the broader lesson for NC SMB defense beyond Squid?
Squidbleed is not really about Squid. It is about three quiet assumptions that NC SMBs need to retire in 2026.
- Legacy infrastructure is not "stable," it is "unaudited." A 29-year-old code path in Squid was load-bearing in tens of thousands of networks until somebody finally fuzzed the FTP gateway. The same logic applies to your on-prem mail relay, your VPN concentrator, your DNS resolver, and any open-source middleware that has been running quietly since the early 2010s. Schedule an annual review of every infrastructure component that touches inbound or outbound traffic and ask, when was the last time anyone read the release notes for this thing.
- The "trusted client" attack model is real and the perimeter does not save you. Squidbleed only works because a permitted user of the proxy can send a hostile request. For NC SMBs, "permitted users" includes employees, contractors, guest Wi-Fi users, vendors with VPN access, M&A targets being integrated, and anyone with credentials that have leaked elsewhere. Build your defenses to assume the trusted client is hostile, particularly for any infrastructure shared across tenants or guest populations.
- Egress filtering matters as much as ingress filtering. Most NC SMBs spend their firewall budget on inbound rules and let outbound traffic flow on the assumption that "our users are trusted." Squidbleed step 3 is killed by a single outbound deny rule on TCP 21. Apply the same logic broadly: restrict outbound to the protocols and destinations you actually need. Outbound egress filtering is the cheapest control with the highest payoff for SMB networks.
For NC manufacturers in High Point and Winston-Salem, NC professional services firms in Greensboro and Charlotte, NC construction firms across the Piedmont Triad, and NC distributors and importers in the Research Triangle, the takeaway is the same: the proxy is part of the security perimeter, and the security perimeter has both an inside and an outside.
How does Preferred Data Corporation help NC SMBs harden web proxies and gateway infrastructure?
PDC has run managed IT and cybersecurity for NC small businesses since 1987 from High Point. Three concrete service lines align with the Squidbleed action list:
- Managed IT services: Forward proxy inventory across servers and VMs,
squid.confreview and change management, patch-tracking against the actual upstream Squid release notes (not vendor marketing claims), and 24/7 monitoring of proxy health and version drift. - Cybersecurity services: Credential rotation runbooks, audit of TLS-terminating proxy deployments, replacement of SSL bumping with modern cloud secure web gateway alternatives where appropriate, and ongoing vulnerability monitoring against the open-source infrastructure stack.
- Network infrastructure services: Firewall egress filtering review (including outbound TCP 21 blocks), guest Wi-Fi segmentation for NC manufacturer sites, separate proxy pools per tenant or per network segment, and architecture review for NC SMBs whose shared-building or multi-tenant deployments mix populations that should not share a proxy.
Squidbleed is the example, not the exception. Long-lived open-source infrastructure that everyone forgot to audit is everywhere in NC SMB networks, and the next 29-year-old bug is already in someone's code. The work this week is to find the Squid instances, close the FTP path, and put a process in place so the next disclosure does not require an emergency.
Need a managed Squid Proxy and gateway hardening engagement scoped to your NC SMB? Call (336) 886-3282 or book a proxy hardening review.
Frequently Asked Questions
Is my Squid Proxy vulnerable to Squidbleed?
If your Squid Proxy has the FTP gateway enabled (the default in most installs) and is reachable outbound on TCP 21 to attacker-controlled FTP servers, yes. Per Calif.io, the bug is in the FTP gateway code and traces back to a January 1997 commit, so every Squid major version since then is in scope unless you have explicitly disabled FTP or applied the not-yet-shipped 7.7 fix. The fastest test is to check whether squid.conf denies the ftp protocol and whether your firewall blocks outbound TCP 21 from the proxy.
Does upgrading to Squid 7.6 fix Squidbleed?
No. The Squid maintainer Amos Jeffries posted a public correction confirming that Squid 7.6 did NOT ship the Squidbleed fix despite earlier impressions, and the real fix is scheduled for Squid 7.7. If a vendor, distribution, or internal ticket says you are patched because you are on 7.6, that claim is wrong. Until 7.7 is available and rolled out, the operational mitigations (disable FTP in squid.conf, block outbound TCP 21) are what is protecting you.
How do I disable FTP in Squid?
Add an ACL and an access rule to squid.conf. The minimum change is acl FTP proto FTP followed by http_access deny FTP placed before any allow rules, then reload Squid. This blocks the proxy from processing FTP requests at all, which kills the Squidbleed trigger path entirely. Per Calif.io, disabling FTP is the recommended mitigation, and user impact is minimal because Chromium and other mainstream browsers dropped FTP support years ago and most modern networks carry near-zero legitimate FTP traffic.
What is a TLS-terminating proxy and is it more exposed?
A TLS-terminating proxy (sometimes called SSL bumping or HTTPS interception) is a Squid configuration where the proxy decrypts HTTPS traffic, inspects it, and re-encrypts it on the way out. NC SMBs sometimes deploy this for DLP, malware scanning, or compliance reasons. It is the worst-case Squidbleed exposure because the decrypted request contents, including modern API tokens and SaaS session cookies, sit in the proxy's heap memory and are therefore in the pool that the over-read can leak. If you operate a TLS-terminating proxy, prioritize the FTP disable and credential rotation steps and reconsider whether the interception is worth the risk.
Should we replace Squid with a cloud secure web gateway?
Often yes, for NC SMBs that do not have a strong reason to operate their own forward proxy. Cloud secure web gateway services (Zscaler, Cloudflare Gateway, Cisco Umbrella SIG, Netskope) handle the proxy, the patching, the inspection, and the egress filtering as a managed service, which removes the "29-year-old open-source bug nobody audited" failure mode. The migration is usually a 60 to 90 day project and is a natural fit alongside the SD-WAN refresh that many NC manufacturers and multi-site firms are already planning. PDC scopes both managed Squid and cloud SWG migrations.
Has Squidbleed been exploited in the wild?
As of June 22, 2026, no confirmed in-the-wild exploitation has been reported, per SC World. However, proof-of-concept code is public, the bug is trivial to trigger from a permitted proxy client, and the data it leaks is high-value (Authorization headers, session cookies, bearer tokens). NC SMBs should treat the absence of confirmed exploitation as a short head start, not a reason to delay. Disable FTP and block outbound TCP 21 this week.
Related Resources
- Managed IT Services - Forward proxy inventory,
squid.confchange management, patch tracking - Cybersecurity Services - Credential rotation runbooks, TLS-terminating proxy audit, vulnerability monitoring
- Network Infrastructure Services - Firewall egress filtering, guest Wi-Fi segmentation, cloud SWG migration
- Fortibleed CVE-2026-86644: NC SMB Firewall Defense Plan - Companion gateway-credential exposure post
- Forrester 2026 Two-Cloud Outage Prediction: NC SMB Multi-Cloud Resilience - Companion infrastructure resilience post
- Contact Preferred Data Corporation - Squid Proxy and gateway hardening for NC SMBs