{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83947?format=json","vulnerability_id":"VCID-7n9u-7bzx-w7e7","summary":"frp is a fast reverse proxy. From 0.43.0 to 0.68.0, frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password. This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature. This vulnerability is fixed in 0.68.1.","aliases":[{"alias":"CVE-2026-40910"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9","reference_id":"GHSA-pq96-pwvg-vrr9","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T20:28:44Z/"}],"url":"https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"}],"weaknesses":[{"cwe_id":287,"name":"Improper Authentication","description":"When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct."}],"exploits":[],"severity_range_score":"6.5 - 6.5","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7n9u-7bzx-w7e7"}