CVE-2026-40910 Overview
CVE-2026-40910 is an authentication bypass vulnerability in frp (fast reverse proxy), affecting versions 0.43.0 through 0.68.0. The vulnerability exists in the HTTP vhost routing path when the routeByHTTPUser feature is used as part of access control. Due to inconsistent credential handling between routing and authorization logic, an attacker can bypass authentication and access protected backends.
Critical Impact
Attackers who can reach the HTTP vhost entrypoint and know or guess the protected routeByHTTPUser value may access backends protected by httpUser / httpPassword authentication, even when providing incorrect credentials.
Affected Products
- frp versions 0.43.0 to 0.68.0
- Deployments explicitly using the routeByHTTPUser feature
- HTTP vhost configurations with httpUser / httpPassword protection
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40910 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40910
Vulnerability Analysis
This authentication bypass (CWE-287) stems from a logic flaw in how frp processes authentication credentials in proxy-style HTTP requests. The routing subsystem and the access control subsystem examine different HTTP headers to make their respective decisions, creating a security gap that allows attackers to circumvent authentication mechanisms.
In proxy-style requests, the routing logic examines the Proxy-Authorization header to determine which routeByHTTPUser backend should handle the request. However, the access control check—which validates whether the user should have access to the protected resource—uses credentials from the standard Authorization header instead.
This architectural inconsistency means an attacker can craft a request with a valid (or guessed) routeByHTTPUser value in the Proxy-Authorization header to select the target backend, while providing no valid credentials in the Authorization header that the access control system validates. Since these two components operate independently without cross-validation, the request is routed to the protected backend without proper authentication enforcement.
Root Cause
The root cause is an inconsistent credential evaluation between two separate code paths in the HTTP vhost routing mechanism. The routing decision uses credentials from Proxy-Authorization while access control validation uses credentials from Authorization, creating a split-brain authentication scenario where neither component has full visibility into the authentication state.
Attack Vector
The attack requires network access to the HTTP vhost entrypoint and knowledge (or ability to guess) the routeByHTTPUser value. An attacker constructs a proxy-style HTTP request with the target routeByHTTPUser value in the Proxy-Authorization header while leaving the Authorization header empty or containing invalid credentials. The routing logic routes the request to the intended backend based on Proxy-Authorization, but the access control check against Authorization fails to properly enforce authentication, resulting in unauthorized access.
This vulnerability does not affect ordinary HTTP proxy configurations that do not utilize the routeByHTTPUser feature. For technical details and remediation guidance, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-40910
Indicators of Compromise
- HTTP requests containing Proxy-Authorization headers with valid routeByHTTPUser values but invalid or missing passwords
- Successful access to routeByHTTPUser-protected backends without corresponding valid Authorization credentials
- Unusual access patterns to protected endpoints from unexpected IP addresses
Detection Strategies
- Monitor HTTP access logs for requests to protected backends that contain Proxy-Authorization without valid Authorization credentials
- Implement web application firewall (WAF) rules to detect requests with mismatched or suspicious authentication header combinations
- Review access logs for successful requests to httpUser/httpPassword-protected resources that lack valid authentication tokens
Monitoring Recommendations
- Enable verbose logging for frp HTTP vhost routing to capture all authentication-related events
- Set up alerting for access to protected backends where authentication validation failures are followed by successful access
- Audit all routeByHTTPUser configurations and monitor associated endpoints for unauthorized access attempts
How to Mitigate CVE-2026-40910
Immediate Actions Required
- Upgrade frp to version 0.68.1 or later immediately
- Review all configurations using routeByHTTPUser and temporarily disable the feature if patching is not immediately possible
- Implement network-level access controls to restrict access to HTTP vhost entrypoints to trusted sources only
Patch Information
The vulnerability is fixed in frp version 0.68.1. Organizations should upgrade to this version or later to remediate the authentication bypass. Refer to the GitHub Security Advisory for detailed patch information and upgrade guidance.
Workarounds
- Temporarily disable the routeByHTTPUser feature if the upgrade cannot be applied immediately
- Implement additional authentication layers upstream of frp, such as mutual TLS or IP-based access controls
- Use network segmentation to limit exposure of HTTP vhost entrypoints to trusted networks only
# Configuration example: Disable routeByHTTPUser temporarily
# In your frpc.toml configuration, comment out or remove routeByHTTPUser settings
# Example frpc.toml - remove the routeByHTTPUser line
# [web]
# type = http
# local_port = 8080
# custom_domains = example.com
# # routeByHTTPUser = admin # Comment out until patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
