{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40910", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-21T20:09:00.893Z", "dateUpdated": "2026-04-21T20:28:48.579Z"}, "containers": {"cna": {"title": "frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"}], "affected": [{"vendor": "fatedier", "product": "frp", "versions": [{"version": "< 0.68.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:09:00.893Z"}, "descriptions": [{"lang": "en", "value": "frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1."}], "source": {"advisory": "GHSA-pq96-pwvg-vrr9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:28:44.365794Z", "id": "CVE-2026-40910", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:28:48.579Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40910", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:28:44.365794Z"}}}], "references": [{"url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:28:37.740Z"}}], "cna": {"title": "frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control", "source": {"advisory": "GHSA-pq96-pwvg-vrr9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "fatedier", "product": "frp", "versions": [{"status": "affected", "version": "< 0.68.1"}]}], "references": [{"url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "name": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:09:00.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40910", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:28:48.579Z", "dateReserved": "2026-04-15T16:37:22.767Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T20:09:00.893Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1."}], "id": "CVE-2026-40910", "lastModified": "2026-04-21T21:16:45.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:45.157", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:41:31.562579+00:00", "value": {"mitigation_remediation": ["Upgrade frp to version 0.68.1 or later, where the authentication bypass is fixed.", "If an upgrade cannot occur immediately, disable the routeByHTTPUser feature or restrict HTTP vhost access to trusted networks to prevent unauthenticated access.", "Review and adjust your proxy configuration to ensure that Proxy-Authorization tokens are not used for routing when authentication is required, and verify that the Authorization header is properly validated by the backend service."], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass that allows unauthorized access to httpUser/httpPassword protected backends"}, "threat_synthesis": {"affected_systems": "The affected product is fatedier:frp. Versions 0.43.0 through 0.68.0 are vulnerable when the \"routeByHTTPUser\" feature is enabled. Ordinary HTTP proxies that do not use this feature are not impacted.", "description_and_impact": "frp, a fast reverse proxy, contains an authentication bypass in its HTTP vhost routing path when the \"routeByHTTPUser\" feature is enabled. The routing layer selects the backend based on the username supplied in the Proxy-Authorization header, while the access control check verifies credentials from the normal Authorization header. As a result, an attacker who can reach the HTTP vhost entry point and knows or can guess the protected routeByHTTPUser value can access a backend protected by httpUser/httpPassword even when the Proxy-Authorization password is incorrect, effectively bypassing authentication. This flaw is a core authentication bypass (CWE\u2011287) and compromises the confidentiality and integrity of services exposed through the affected proxy.\n\nAffected instances are fatedier:frp versions 0.43.0 through 0.68.0 when the routeByHTTPUser option is used. Deployments that do not enable this feature are not affected. Any organization running a frp instance that exposes the HTTP vhost endpoint must verify the version and review usage of \"routeByHTTPUser\".\n\nThe vulnerability carries a moderate CVSS score of 6.5; its EPSS score is currently unavailable and it is not listed in the CISA KEV catalog.\n\nThe likely attack vector is remote, requiring an attacker to send crafted HTTP requests to the vhost entry point and supply an incorrect Proxy-Authorization token while guessing the routeByHTTPUser value. Because the flaw does not require privileged access on the host, the risk is presented to any remote party with network reachability to the frp server.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate impact; the absence of an EPSS score means current exploitation probability is unknown, but this is a non\u2011zero risk. The vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited by remote attackers with network access to the frp server, who can craft HTTP requests targeting the vhost entry point and use a guessed or known routeByHTTPUser value to access protected backends without the correct Proxy-Authorization credentials. No host\u2011level privileges or local access are required for exploitation, making the threat relevant to any remote attacker that can reach the server."}}}}, "created": "2026-04-22T06:45:10.877821+00:00", "updated": "2026-04-22T06:45:10.877833+00:00", "vendors": []}