Authentication Bypass Vulnerability in frp by Fatedier
CVE-2026-40910

6.5MEDIUM

Key Information:

Vendor: Fatedier
Status: Frp
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40910?

frp, a fast reverse proxy, has a significant authentication bypass flaw affecting versions 0.43.0 to 0.68.0. When the routeByHTTPUser feature is enabled, the application's routing logic uses the username extracted from the Proxy-Authorization header for user routing, while the actual access control mechanism checks credentials provided through the standard Authorization header. This discrepancy allows an attacker with knowledge of the routeByHTTPUser value to bypass authentication and access protected backends, even if they provide invalid credentials in the Proxy-Authorization header. This vulnerability targets deployments that specifically implement the routeByHTTPUser feature and is patched in version 0.68.1. For further information, please see the security advisory at GitHub.

Affected Version(s)

frp < 0.68.1

References

https://github.com/fatedier/frp/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40910 Data

JSON