29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests

A 29-year-old bug in the Squid web proxy, tracked as CVE-2026-47729 and dubbed Squidbleed, lets an authorized proxy user retrieve fragments of another user's cleartext HTTP requests, including credentials and session tokens. The security researcher credited Anthropic's Claude Mythos Preview for the discovery. Squid describes the attack as requiring a trusted client already permitted to use the proxy.