External risk intelligence

FRP Authentication Bypass Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40910

A vulnerability in the frp reverse proxy allows attackers to bypass authentication in specific HTTP vhost routing configurations. This could lead to unauthorized access to protected backend services, posing a risk to organizations using this feature.

5Halo Surface Signal

Authentication Bypass

Fatedier Frp

0.43.0 to before 0.68.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-40910

frp is a reverse proxy software designed to route traffic to internal services, often enabling external access to private networks. By its architectural nature as an internet-facing gateway and reverse proxy, it sits at the edge of the network and is designed to handle incoming requests from external sources, making it a public-facing service in common deployments.

PCI scan relevance

PCI Relevance for CVE-2026-40910

Yes

CVE-2026-40910 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE affects frp and involves an authentication bypass vulnerability, which is a common class of issue that can lead to PCI scan failures.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

The frp reverse proxy software is vulnerable due to an authentication bypass flaw when using specific HTTP vhost routing configurations. This weakness allows unauthorized access to protected backend services, even when credentials are not correctly provided. Organizations relying on this feature may face risks to their internal systems and data.

  • Vulnerable frp reverse proxy routing.
  • Authentication bypass allows unauthorized access.
  • Potential exposure of protected backend services.

Attack Path

How an attacker could exploit the issue

An attacker can bypass authentication when the frp HTTP vhost routing feature, specifically `routeByHTTPUser`, is in use. This occurs when the system checks credentials from one header while routing based on information from another. Attackers who can reach the HTTP vhost entrypoint and know the protected `routeByHTTPUser` value may gain unauthorized access to protected backends. This could impact organizations that use this specific access control feature.

  • Exposed HTTP vhost entrypoint.
  • Attacker guesses protected route value.
  • Unauthenticated access to backend.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the frp reverse proxy could allow an attacker to bypass authentication and access protected backends. Exploitation requires an attacker to reach the HTTP vhost entrypoint and possess or guess the value associated with a specific routing configuration. Organizations using this feature face a significant risk of unauthorized data access and system compromise.

  • Attackers with low skill level.
  • No authentication or network access needed.
  • High business risk requires urgent attention.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An authentication bypass vulnerability in `frp` could allow attackers to access protected backends by manipulating routing logic. This occurs when specific access control configurations are in use, potentially exposing sensitive data or systems to unauthorized access. Organizations utilizing `frp` with the affected configurations should prioritize addressing this risk.

  • Identify `frp` deployments using `routeByHTTPUser`.
  • Isolate affected `frp` services.
  • Apply vendor update and validate.

Frequently asked questions

What is frp and what is it used for?

frp is a fast reverse proxy software. It is used to route traffic, often enabling external access to internal services. This helps organizations make private networks accessible from the internet.

What kind of weakness does CVE-2026-40910 describe in frp?

CVE-2026-40910 describes an authentication bypass weakness in frp. This happens when the HTTP vhost routing feature, specifically `routeByHTTPUser`, is used for access control. It allows attackers to access protected services without providing correct credentials.

How could an attacker exploit this frp vulnerability?

An attacker could exploit this by reaching the frp's HTTP vhost entrypoint and knowing or guessing the protected `routeByHTTPUser` value. The vulnerability lies in how the system checks credentials from one header while routing based on another, allowing bypass even with incorrect passwords.

Who should be concerned about this CVE-2026-40910 threat?

Organizations using frp, especially those with internet-facing deployments that utilize the `routeByHTTPUser` feature for access control, should be concerned. The Halo Surface Signal indicates this is a very likely threat due to frp's common role as an internet-facing gateway.

What are the first steps to address this frp vulnerability?

First, identify any frp deployments that are using the `routeByHTTPUser` configuration. Then, consider isolating these affected frp services if possible, and apply the vendor's update to version 0.68.1 or later to remediate the vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified