CVE-2026-40910
Obejście uwierzytelnienia w frp umożliwia dostęp do chronionych zasobów bez poprawnego hasła.
frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 6.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-04-21 21:16:45 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-29 23:20:37 UTC |
- https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9 (security-advisories@github.com) [Exploit, Vendor Advisory]