CVE-2026-40910

Name of the Vulnerable Software and Affected Versions frp versions 0.43.0 through 0.68.0

Description An authentication bypass exists in the HTTP vhost routing path when routeByHTTPUser is utilized for access control. In proxy-style requests, the routing logic selects the routeByHTTPUser backend using the username from the "Proxy-Authorization" header, whereas the access control check validates credentials from the standard "Authorization" header. Consequently, an attacker who can reach the HTTP vhost entrypoint and knows or guesses the protected routeByHTTPUser value can access a backend protected by httpUser and httpPassword, even if the "Proxy-Authorization" password is incorrect. This issue specifically affects deployments that explicitly use routeByHTTPUser and does not impact ordinary HTTP proxies.

Recommendations Update to version 0.68.1. As a temporary workaround, restrict or disable the use of the routeByHTTPUser feature.