CVE-2026-40910
Received Received - Intake
Authentication Bypass in frp HTTP vhost Routing (routeByHTTPUser

Publication date: 2026-04-21

Last updated on: 2026-04-29

Assigner: GitHub, Inc.

Description
frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40910
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fatedier frp From 0.43.0 (inc) to 0.68.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in frp, a fast reverse proxy, specifically in versions 0.43.0 to 0.68.0. It involves an authentication bypass in the HTTP virtual host routing path when the feature routeByHTTPUser is used for access control.

The issue arises because the routing logic uses the username from the Proxy-Authorization header to select the backend, but the access control check uses credentials from the regular Authorization header. This mismatch allows an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value to access a backend protected by httpUser/httpPassword even if the Proxy-Authorization password is incorrect.

This vulnerability only affects deployments explicitly using routeByHTTPUser and does not affect ordinary HTTP proxies that do not use this feature. It was fixed in version 0.68.1.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication controls and gain unauthorized access to backend services protected by httpUser/httpPassword when routeByHTTPUser is used.

Such unauthorized access could lead to exposure of sensitive data or unauthorized actions within the backend systems.

However, this impact only applies if the deployment explicitly uses the routeByHTTPUser feature and the attacker can reach the HTTP vhost entrypoint and guess or know the protected routeByHTTPUser value.

Mitigation Strategies

To mitigate this vulnerability, upgrade frp to version 0.68.1 or later, where the authentication bypass issue has been fixed.

Additionally, avoid using the routeByHTTPUser feature in access control if possible, as the vulnerability specifically affects deployments that use this feature.

Compliance Impact

The vulnerability in frp allows an attacker to bypass authentication in certain configurations, potentially granting unauthorized access to protected backend services.

Such unauthorized access could lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of personal or health information.

However, the vulnerability only affects deployments explicitly using the routeByHTTPUser feature and does not impact ordinary HTTP proxies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40910. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart