CVE-2026-40910
Authentication Bypass in frp HTTP vhost Routing (routeByHTTPUser
Publication date: 2026-04-21
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fatedier | frp | From 0.43.0 (inc) to 0.68.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in frp, a fast reverse proxy, specifically in versions 0.43.0 to 0.68.0. It involves an authentication bypass in the HTTP virtual host routing path when the feature routeByHTTPUser is used for access control.
The issue arises because the routing logic uses the username from the Proxy-Authorization header to select the backend, but the access control check uses credentials from the regular Authorization header. This mismatch allows an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value to access a backend protected by httpUser/httpPassword even if the Proxy-Authorization password is incorrect.
This vulnerability only affects deployments explicitly using routeByHTTPUser and does not affect ordinary HTTP proxies that do not use this feature. It was fixed in version 0.68.1.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication controls and gain unauthorized access to backend services protected by httpUser/httpPassword when routeByHTTPUser is used.
Such unauthorized access could lead to exposure of sensitive data or unauthorized actions within the backend systems.
However, this impact only applies if the deployment explicitly uses the routeByHTTPUser feature and the attacker can reach the HTTP vhost entrypoint and guess or know the protected routeByHTTPUser value.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade frp to version 0.68.1 or later, where the authentication bypass issue has been fixed.
Additionally, avoid using the routeByHTTPUser feature in access control if possible, as the vulnerability specifically affects deployments that use this feature.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in frp allows an attacker to bypass authentication in certain configurations, potentially granting unauthorized access to protected backend services.
Such unauthorized access could lead to exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of personal or health information.
However, the vulnerability only affects deployments explicitly using the routeByHTTPUser feature and does not impact ordinary HTTP proxies.