Threat Advisories

CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Under Active Exploitation

5 min read
CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Under Active Exploitation

A critical authentication bypass vulnerability in cPanel and WHM (CVE-2026-41940) lets unauthenticated attackers gain root-level administrative access to affected servers. The flaw carries a CVSS score of 9.8, affects all supported versions of cPanel and WHM released after v11.40, and is being actively exploited in the wild. If you run cPanel or WebHost Manager (WHM), patch to a fixed build immediately and assume any unpatched server may already be compromised.

What is CVE-2026-41940?

CVE-2026-41940 is an authentication bypass in the login and session-loading flow of cPanel and WHM, the web hosting control panel platform that manages an estimated 70 million domains worldwide. The vulnerability stems from a CRLF injection that lets an attacker manipulate session files written to disk before authentication completes. By injecting carriage-return and line-feed characters into a malicious request, an attacker can plant fake session properties (such as marking themselves as root and as already authenticated) and trick cPanel into granting administrative access on the next request.

cPanel published a security advisory on April 28, 2026, and shipped patches the same day. Security researchers at watchTowr published a technical analysis and proof-of-concept exploit one day later, on April 29.

What products and versions are affected?

The vulnerability affects all supported versions of cPanel and WHM released after v11.40, plus WP Squared, the WordPress hosting platform built on cPanel.

  • cPanel & WHM 110.0.x (versions prior to 11.110.0.97)
  • cPanel & WHM 118.0.x (versions prior to 11.118.0.63)
  • cPanel & WHM 126.0.x (versions prior to 11.126.0.54)
  • cPanel & WHM 132.0.x (versions prior to 11.132.0.29)
  • cPanel & WHM 134.0.x (versions prior to 11.134.0.20)
  • cPanel & WHM 136.0.x (versions prior to 11.136.0.5)
  • WP Squared (versions prior to 136.1.7)

Internet-exposed cPanel installations are the primary risk surface. Rapid7 reports approximately 1.5 million cPanel instances exposed to the internet based on Shodan data, and the Shadowserver Foundation reports roughly 650,000 IPs hosting accessible cPanel or WHM instances.

How severe is it?

CVE-2026-41940 carries a CVSS v3.1 base score of 9.8 (Critical). It requires no authentication, no user interaction, and is exploitable over the network. An attacker only needs HTTPS access to the cPanel or WHM login endpoint (typically TCP 2083 or 2087) to gain full administrative control.

Exploitation is confirmed. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30, 2026, with a Federal Civilian Executive Branch remediation deadline of May 3, 2026. KnownHost, a managed cPanel hosting provider, has confirmed in-the-wild exploitation, and reporting from Help Net Security indicates exploitation activity dating back to February 23, 2026, roughly two months before public disclosure. The Shadowserver Foundation is currently observing approximately 44,000 unique IPs scanning, exploiting, or brute-forcing against its honeypot sensors.

In practical terms: this was a zero-day for at least two months, the patch is now public, the technical writeup is public, and weaponized exploit code is circulating. Treat anything older than the fixed build as compromised until proven otherwise.

Are patches available?

Yes. cPanel released patches on April 28, 2026, the same day as the advisory. Update to one of the following builds:

  • cPanel & WHM 11.110.0.97
  • cPanel & WHM 11.118.0.63
  • cPanel & WHM 11.126.0.54
  • cPanel & WHM 11.132.0.29
  • cPanel & WHM 11.134.0.20
  • cPanel & WHM 11.136.0.5
  • WP Squared 136.1.7

Most managed hosting providers (KnownHost, Namecheap, HostPapa, InMotion, hosting.com, and others) deployed the patch within hours of disclosure and temporarily firewalled customer access to cPanel and WHM ports while updates rolled out.

What should you do right now?

  1. Patch immediately to one of the fixed builds above. cPanel's /scripts/upcp will update servers running auto-updates; verify the installed build after the upgrade and restart cpsrvd.
  2. If you can't patch immediately, block inbound traffic on TCP ports 2083, 2087, 2095, and 2096 at the firewall, and stop the cpsrvd and cpdavd services. This breaks legitimate access too, so use it as a temporary measure only.
  3. Run cPanel's published indicator-of-compromise script to check for malicious session files on disk. The script is linked from cPanel's advisory.
  4. Assume compromise on any server that was unpatched and internet-exposed before April 28. Rotate every credential the server touched: root and reseller passwords, API tokens, SSL/TLS private keys, SSH keys, mail account passwords, and database passwords. Audit for new accounts, scheduled tasks, web shells, and modified PHP files.
  5. Check upstream. If you use a shared hosting provider, confirm with them that their fleet is patched. Many hosts pushed the update automatically; some did not.

How Halo Security can help

We're here to help our customers find every cPanel and WHM instance across their attack surface so nothing slips through during a fast-moving event like this. With Technology Scanning, you can filter your Technology list by cPanel or WHM and instantly see every affected asset, the version it's running, and whether it sits behind a firewall or is internet-exposed. That turns the question of "are we vulnerable to CVE-2026-41940?" into a two-minute answer instead of a multi-day fire drill.

Because CVE-2026-41940 is now in the CISA KEV catalog, our KEV-prioritization capability automatically surfaces affected assets at the top of your remediation queue, and our continuous discovery flags any newly-found cPanel instances you may not have known about, including ones inherited from acquisitions or set up outside formal IT processes. If you're a customer and you'd like a hand confirming your exposure, we're a message away.

FAQ

Is CVE-2026-41940 being actively exploited?

Yes. CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on April 30, 2026 based on confirmed in-the-wild exploitation. Reporting indicates attackers began exploiting the flaw as early as February 23, 2026, roughly two months before public disclosure.

How do I know if my cPanel server is affected?

If your cPanel or WHM build is older than 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 (matching your release branch), or if you run WP Squared older than 136.1.7, you are affected. Run /usr/local/cpanel/cpanel -V to check the installed build, and run cPanel's published IoC script to look for malicious session files.

Was this a zero-day?

In effect, yes. Public reporting indicates exploitation was observed in the wild approximately two months before cPanel published its advisory and patch on April 28, 2026. Any internet-exposed cPanel server that was unpatched during that window should be treated as potentially compromised.

Do I need to patch immediately if my cPanel server isn't internet-exposed?

If your cPanel or WHM interface is firewalled to internal IPs only, your immediate exposure is lower, but you should still patch as soon as practical. Lateral movement from a compromised host inside the network would let an attacker reach the cPanel interface from a trusted source. We recommend patching within days, not weeks.

How is this different from other cPanel vulnerabilities?

This is a pre-authentication flaw that grants direct root-level administrative access with no credentials required, affecting every supported branch. Most cPanel CVEs in recent years have required some level of authentication or have affected narrower components. The combination of unauthenticated remote access, broad version coverage, and confirmed pre-disclosure exploitation makes CVE-2026-41940 unusually severe.

Get visibility into your cPanel exposure

Want to see every cPanel and WHM instance across your attack surface in minutes? Halo Security's external vulnerability management platform finds them automatically, flags affected versions, and prioritizes KEV-listed CVEs at the top of your queue. Start with a free trial or book a quick demo to see your real exposure.