Description
frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass that allows unauthorized access to httpUser/httpPassword protected backends
Action: Immediate Patch
AI Analysis

Impact

frp, a fast reverse proxy, contains an authentication bypass in its HTTP vhost routing path when the "routeByHTTPUser" feature is enabled. The routing layer selects the backend based on the username supplied in the Proxy-Authorization header, while the access control check verifies credentials from the normal Authorization header. As a result, an attacker who can reach the HTTP vhost entry point and knows or can guess the protected routeByHTTPUser value can access a backend protected by httpUser/httpPassword even when the Proxy-Authorization password is incorrect, effectively bypassing authentication. This flaw is a core authentication bypass (CWE‑287) and compromises the confidentiality and integrity of services exposed through the affected proxy. Affected instances are fatedier:frp versions 0.43.0 through 0.68.0 when the routeByHTTPUser option is used. Deployments that do not enable this feature are not affected. Any organization running a frp instance that exposes the HTTP vhost endpoint must verify the version and review usage of "routeByHTTPUser". The vulnerability carries a moderate CVSS score of 6.5; its EPSS score is currently unavailable and it is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring an attacker to send crafted HTTP requests to the vhost entry point and supply an incorrect Proxy-Authorization token while guessing the routeByHTTPUser value. Because the flaw does not require privileged access on the host, the risk is presented to any remote party with network reachability to the frp server.

Affected Systems

The affected product is fatedier:frp. Versions 0.43.0 through 0.68.0 are vulnerable when the "routeByHTTPUser" feature is enabled. Ordinary HTTP proxies that do not use this feature are not impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact; the absence of an EPSS score means current exploitation probability is unknown, but this is a non‑zero risk. The vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited by remote attackers with network access to the frp server, who can craft HTTP requests targeting the vhost entry point and use a guessed or known routeByHTTPUser value to access protected backends without the correct Proxy-Authorization credentials. No host‑level privileges or local access are required for exploitation, making the threat relevant to any remote attacker that can reach the server.

Generated by OpenCVE AI on April 22, 2026 at 06:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade frp to version 0.68.1 or later, where the authentication bypass is fixed.
  • If an upgrade cannot occur immediately, disable the routeByHTTPUser feature or restrict HTTP vhost access to trusted networks to prevent unauthenticated access.
  • Review and adjust your proxy configuration to ensure that Proxy-Authorization tokens are not used for routing when authentication is required, and verify that the Authorization header is properly validated by the backend service.

Generated by OpenCVE AI on April 22, 2026 at 06:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fatedier
Fatedier frp
Vendors & Products Fatedier
Fatedier frp

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.
Title frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Fatedier Frp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:28:48.579Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40910

cve-icon Vulnrichment

Updated: 2026-04-21T20:28:37.740Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:45.157

Modified: 2026-04-21T21:16:45.157

Link: CVE-2026-40910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:20Z

Weaknesses