A 1997 FTP parser bug in Squid Proxy has been leaking HTTP credentials and session tokens from other users’ sessions for twenty-nine years. Researchers at Calif.io found it in April 2026, assisted by Claude Mythos Preview, as part of the Project Glasswing coordinated vulnerability research effort. Squid v7.6, released June 8, 2026, contains the fix.
If you operate Squid proxy in a multi-tenant environment — corporate network, school, public Wi-Fi, or any CI/CD setup where multiple users share a proxy — update now. If you cannot update immediately, disable FTP support in your Squid configuration. That is the complete short-term remediation.
The rest of this article explains the bug mechanism, the attack conditions, how Claude Mythos found it, and what the Squidbleed disclosure means for builders beyond the immediate patch.
What Squidbleed Does
Squid’s FTP directory listing parser, introduced in a 1997 commit to support legacy NetWare servers, processes FTP LIST responses by scanning each line for a filename following the modification timestamp. The parser uses strchr() to skip whitespace between fields.
The problem is a subtle C standard library behavior: strchr(w_space, '\0') — searching for a null terminator character in a whitespace set — returns a non-NULL pointer per C11 §7.24.5.2. The null terminator is considered part of any string by definition. This means that when an attacker-controlled FTP server returns a directory listing entry with no filename after the timestamp, the strchr call succeeds instead of returning NULL, and the loop continues reading past the end of the buffer.
This is a heap overread. The data being read past the buffer boundary can include whatever Squid happens to have allocated in adjacent heap memory at the time — and in an active proxy handling multiple users’ traffic simultaneously, that adjacent memory frequently contains HTTP headers, authentication tokens, cookies, and session identifiers from other users’ requests.
The leaked data is then incorporated into Squid’s internal representation and can be returned to the attacker in an FTP error response.
What can leak:
- HTTP
Authorizationheaders (Bearer tokens, Basic auth credentials) Cookieheader contents (session identifiers, CSRF tokens)- Any cleartext HTTP request headers from other users’ current sessions
- Credentials from TLS-terminating setups, where Squid decrypts HTTPS and inspects as HTTP
Who Is at Risk
Squidbleed requires three conditions to be exploitable:
| Condition | Details |
|---|---|
| Squid is handling multi-user traffic | Shared proxy environments where different users’ requests coexist in memory |
| Squid can reach attacker-controlled FTP | The proxy must make an outbound connection to TCP port 21 on an attacker-controlled server |
| Traffic is cleartext or TLS-terminating | Standard HTTPS (CONNECT tunnel) is opaque to Squid and its memory — TLS-terminating setups are not |
This profile matches shared network deployments: corporate proxies, school networks, public Wi-Fi gateways, and any enterprise environment where Squid sits in the path of multiple users’ traffic.
Less obvious but worth checking: CI/CD environments that route build traffic through a shared Squid instance for caching or auditing. If your build pipeline authenticates to package registries, artifact stores, or cloud APIs through a shared proxy, those credentials are in scope.
How Claude Mythos Found It
Security researcher Lam Jun Rong at Calif.io was using Claude Mythos Preview to investigate Squid’s FTP state machine — a targeted audit rather than a broad scan. Claude Mythos flagged the strchr(w_space, '\0') call almost immediately, identifying it as a case where the C standard’s treatment of the null terminator creates a subtle behavioral difference from what the parser author likely expected.
The find was independently reportable: Pavel Kohout at Aisle Security had already reported the same bug on March 4, 2026 without AI assistance, confirming that the vulnerability is real and discoverable — Claude Mythos simply surfaced it faster during a focused audit of the same code.
This is the pattern the Project Glasswing disclosures are establishing: not that AI invents new vulnerabilities, but that AI can triage dense, legacy C code fast enough to flag bugs that a human reviewer scanning the same file might skim past. A 29-year-old strchr call in a NetWare compatibility path is exactly the kind of code that gets audited once in 2003 and then never revisited.
Timeline
| Date | Event |
|---|---|
| January 1997 | Vulnerable code committed to Squid codebase |
| March 4, 2026 | Kohout (Aisle Security) reports the bug to Squid maintainers |
| April 2026 | Rong (Calif.io) independently reports with Claude Mythos assistance |
| June 8, 2026 | Squid v7.6 released with the fix |
| June 23, 2026 | Public disclosure; CVE-2026-47729 assigned; Squidbleed name published |
The gap between the first report (March 4) and public disclosure (June 23) reflects the standard coordinated disclosure timeline: Squid maintainers had three and a half months to ship a fix before the vulnerability details became public.
Fix: Two Steps, In Order
Step 1 — Update Squid to v7.6 or later. The fix is a null check before the strchr call. Every Squid version before 7.6 is affected in its default configuration.
# Debian/Ubuntu
apt update && apt install squid
# RHEL/CentOS
dnf update squid
# Verify version
squid -v | head -1
# Should show: Squid Cache: Version 7.6...
Step 2 — Disable FTP unless you specifically need it. The attack requires Squid to make an outbound FTP connection. If your environment does not route FTP traffic through the proxy, disabling FTP support removes the attack surface entirely and is the safer long-term posture regardless of version.
In squid.conf:
# Block FTP through the proxy
acl FTP proto FTP
http_access deny FTP
Chromium dropped FTP support in 2021. Most modern browsers do not initiate FTP connections. Lam Jun Rong’s assessment — “most organizations running Squid are getting close to zero legitimate FTP traffic” — is accurate for the majority of environments. Disabling FTP is low-risk and closes this entire attack class.
What This Means Beyond the Patch
Squidbleed is one disclosure from a coordinated research effort that has already produced thousands of CVEs from the Glasswing consortium. Anthropic’s Project Glasswing — the controlled research group with Mythos access — is working through major infrastructure software systematically. Squid’s FTP parser was one node in that audit.
The implication for builders: the pace of AI-discovered CVEs in infrastructure software is accelerating. Legacy codebases — Squid, OpenSSL-adjacent tools, proxy and caching software, network daemons — are going to generate a wave of disclosures as AI-assisted audits work through code that was last reviewed by humans in the early 2000s.
This means:
Your patching cadence needs to increase. If your infrastructure update cycle is quarterly, a three-month window from disclosure to exploitation will become increasingly untenable as discovery outpaces traditional review. Squid v7.6 shipped on June 8; by June 23, the bug was public. That is a fifteen-day exposure window at maximum, assuming you patch the day of disclosure.
Legacy “stable” software is not safe by default. Squid has been in production use for thirty years, has had multiple security audits, and is among the most deployed proxy implementations on the planet. None of that prevented this bug from existing for twenty-nine years. The audits humans ran were not finding it. Claude Mythos looked at the FTP state machine and flagged it in a session.
Monitor your proxy logs for FTP requests. If Squid is routing your users’ traffic and you see outbound FTP connections to unfamiliar hosts, treat that as an indicator of active exploitation attempt until you have confirmed the connection is legitimate. An attacker needs Squid to reach an FTP server they control — FTP traffic in an environment where legitimate FTP use is minimal is anomalous.
The patch is simple. The broader takeaway — that AI-assisted vulnerability research is going to surface decades-old bugs in your infrastructure at an accelerating rate — is worth building into your operational posture now rather than after the next disclosure catches you with a stale Squid install.