CVE-2026-40910

CVE-2026-40910

Name

CVE-2026-40910

Description

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9

Type

URI

security-advisories@github.com

https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:fatedier:frp::::::::`	frp	>= 0.43.0	< 0.68.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:fatedier:frp:*:*:*:*:*:*:*:*

frp

>= 0.43.0

< 0.68.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
frp	edge-community	0.65.0-r5	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.65.0-r4	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.65.0-r3	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.65.0-r2	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.65.0-r1	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.65.0-r0	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.63.0-r4	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.63.0-r3	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.63.0-r2	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.63.0-r1	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.63.0-r0	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.2-r2	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.2-r1	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.2-r0	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.0-r3	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.0-r2	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.0-r1	wener <wenermail@gmail.com>	possibly vulnerable
frp	edge-community	0.61.0-r0	wener <wenermail@gmail.com>	possibly vulnerable
frp	3.23-community	0.65.0-r5	wener <wenermail@gmail.com>	possibly vulnerable
frp	3.23-community	0.65.0-r4	wener <wenermail@gmail.com>	possibly vulnerable
frp	3.23-community	0.65.0-r3	wener <wenermail@gmail.com>	possibly vulnerable
frp	3.23-community	0.65.0-r2	wener <wenermail@gmail.com>	possibly vulnerable
frp	3.23-community	0.65.0-r1	wener <wenermail@gmail.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages