★ 9/10 · Security · 2026-04-29

Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

A critical authentication bypass vulnerability, identified as CVE-2026-41940, affects all currently supported versions of cPanel and WebHost Manager (WHM). This flaw allows unauthenticated remote attackers to gain...

Captured 2026-04-29 09:37

Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

Summary

A critical authentication bypass vulnerability, identified as CVE-2026-41940, affects all currently supported versions of cPanel and WebHost Manager (WHM). This flaw allows unauthenticated remote attackers to gain unauthorized administrative access to the control panel, potentially leading to full server compromise.

Key Points

  • CVE Identifier: CVE-2026-41940 (CVSS Score: 9.8/10.0).
  • Affected Software: All supported versions of cPanel and WHM after version 11.40, including WP Squared version 136.1.7.
  • Patched Versions: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20.
  • Exploitation Status: Confirmed zero-day exploitation; the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
  • Remediation: Execute the cPanel update script /scripts/upcp --force and verify the build version and service restart.
  • Temporary Mitigations: Block inbound traffic on TCP ports 2083, 2087, 2095, and 2096 via firewall, or stop the cpsrvd and cpdavd services.

Technical Details

The vulnerability is a Carriage Return Line Feed (CRLF) injection located within the login and session loading processes of cPanel and WHM. The flaw allows an attacker to manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, thereby bypassing the encryption process typically applied to attacker-provided values.

By injecting raw \r\n characters via a malicious basic authorization header, an attacker can influence the cpsrvd (cPanel service daemon) while it writes a new session file to the disk. Because the system fails to sanitize the data, an attacker can insert arbitrary properties, such as user=root, into the session file. When the session is subsequently reloaded, the attacker establishes administrator-level access.

Indicators of Compromise (IoC):
- Sessions containing both token_denied AND cp_security_token with method=badpass origin.
- Pre-authenticated sessions containing authenticated attributes.
- Sessions with tfa_verified but no valid origin.
- Password fields containing newline characters.

Impact / Why It Matters

Successful exploitation grants an attacker root administrative access to the server, enabling them to access all hosted customer accounts, modify files and databases, install malware, and pivot into the customer's internal networks.

security cPanel vulnerability

↳ Sources