CVE-2026-40910— frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control

frp: Authentication bypass in frp HTTP vhost routing when routeByHTTPUser is used for access control

frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

认证机制不恰当

frp 授权问题漏洞

frp是fatedier个人开发者的一个内网穿透反向代理工具。 frp 0.43.0版本至0.68.0版本存在授权问题漏洞，该漏洞源于使用routeByHTTPUser进行访问控制时，HTTP vhost路由路径存在身份验证绕过，可能导致攻击者即使提供错误的Proxy-Authorization密码，仍能访问受httpUser/httpPassword保护的后端。

N/A

N/A