Friday 26 June 2026 05:12:00 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Vulnerabilities & Patch Management

Old Protocol, New Leak: Squid’s FTP Path Turns into a Secret Spill Risk

23 June 2026 08:24Vulnerabilities & Patch ManagementNEONPALADIN

A long-lived flaw in Squid’s FTP gateway path, tracked as CVE-2026-47729, highlights how legacy protocol support can still put credentials and other header-based secrets at risk.

Proxy software is supposed to reduce exposure, not widen it. Yet Squid, one of the internet’s best-known caching proxies, has landed in the spotlight after a newly tracked flaw was tied to an FTP gateway path that can disclose sensitive memory contents under the reported conditions. The troubling part is not just the bug itself, but the fact that the risky surface sits inside a trusted intermediary many teams leave running for years.

Fast Facts

  • CVE-2026-47729 affects Squid’s FTP gateway path.
  • The issue is described as an out-of-bounds read caused by improper input validation.
  • HTTP authorization headers and API keys were identified as sensitive data that may be exposed.
  • FTP appears in stock-style Safe_ports examples, so exposure can persist in default-style deployments.
  • Squid 7.6 includes the fix and adds FTP-specific hardening.

Why this bug matters

The technical danger here is not a noisy crash. It is confidentiality loss. In long-running C and C++ services, an out-of-bounds read can pull in stale bytes from memory that belong to earlier requests or unrelated transactions. In a proxy, that is especially sensitive because the process may have handled credentials, cookies, tokens, or upstream headers moments before the faulty read.

The reported trigger is narrower than a generic internet-facing flaw: it sits in Squid’s FTP gateway behavior, not in ordinary HTTP forwarding. That distinction matters. It means defenders should not assume every Squid deployment is equally exposed. The real question is whether FTP support is reachable in a given environment and whether the proxy still permits that legacy path at all.

That is where configuration becomes part of the threat model. Squid’s default-style ACL templates include FTP on port 21 in Safe_ports, which means legacy protocol access can remain present unless administrators consciously remove it or block it. In other words, a forgotten compatibility feature can become the narrow corridor through which memory disclosure occurs.

There is also a clear credential-handling lesson. Squid can process HTTP Authorization-related data, and header-bearing secrets are high-value targets when memory safety fails. The exact leaked contents in this case are not independently confirmed here, so it is better to treat the impact as possible disclosure of secret material rather than guaranteed theft of a specific token type.

Squid 7.6 contains the fix for CVE-2026-47729 and adds FTP-specific hardening, which strongly signals that the vulnerable path sits in parser and validation code around the legacy protocol surface. For defenders, the practical response is straightforward: patch, then verify whether FTP is actually needed, and then minimize what headers the proxy preserves on outbound hops.

At the time of writing, public technical detail does not fully establish the complete affected-version matrix, the exact data that may be recovered, or whether every default-style deployment is exposed in practice. The available information supports a risk analysis, not a claim of universal compromise.

Conclusion

The larger lesson is uncomfortable but familiar: the oldest code paths in infrastructure are often the hardest to retire, and the easiest to overlook. When a proxy still speaks to a legacy protocol like FTP, defenders should treat that feature as a separate attack surface, not a harmless relic. In modern security engineering, reducing protocol reach can be just as important as applying the patch.

TECHCROOK

Hardware firewall appliance: A hardware firewall appliance can help separate proxy servers from the rest of the network, restrict legacy ports like FTP, and enforce simpler access rules. It is a practical fit for environments that still run shared infrastructure.

Scheda Techcrook: Hardware firewall appliance

WIKICROOK

  • Out-of-bounds read: A memory-safety flaw where a program reads beyond a buffer and may reveal stale data.
  • FTP gateway: A proxy path that brokers access to FTP servers through the proxy service.
  • Authorization header: An HTTP header commonly used to carry credentials or bearer tokens.
  • Safe_ports: A Squid ACL template that lists destination ports considered acceptable for proxying.
  • Request_header_access: A Squid directive used to allow, deny, or strip specific HTTP headers.
NEONPALADIN
AuthorNEONPALADIN

Vulnerabilities & Patch Management