CVE-2026-41940: Critical authentication bypass in cPanel and WHM
May 02

CVE-2026-41940: Critical authentication bypass in cPanel and WHM

A severe vulnerability in the world’s most widely used web hosting control panel is being actively exploited. Here’s what it is, who is affected, and what to do right now.

Critical – CVSS 9.8
Actively exploited
2 May 2026

Heads up

This vulnerability was exploited in the wild as a zero-day for roughly two months before a patch was released. If you run cPanel or WHM, you should treat your server as potentially compromised until patched and investigated.

What is this vulnerability?

CVE-2026-41940 is an authentication bypass in cPanel and WHM – the control panel software used to manage a significant portion of the world’s shared web hosting servers. With a CVSS score of 9.8 out of 10, it is rated critical.

The vulnerability allows a remote attacker with no credentials whatsoever to gain full root-level administrative access to an affected server. No username. No password. No prior access needed.

It works by exploiting a flaw in how cPanel’s service daemon writes session files to disk. An attacker can inject raw line-break characters (known as a CRLF injection) via a malicious login request, manipulating the session file to include arbitrary properties – such as setting themselves as the root user – before any authentication takes place.

9.8
CVSS score (critical)
~650K
exposed cPanel/WHM instances online
~2 months
exploited before patch was available
All
supported versions after v11.40 affected

Who is affected?

This affects anyone running cPanel and WHM or WP Squared (a managed WordPress hosting platform built on cPanel). It is not limited to a specific release – all supported versions after v11.40 were vulnerable until the emergency patches released on 28 April 2026.

If your web host manages your server using cPanel, your host is responsible for patching. If you self-manage a VPS or dedicated server with cPanel installed, you need to act immediately.

What to do right now

1. Patch immediately

Update to the patched version for your release track. After updating, restart the cpsrvd service to ensure the fix is fully applied.

 

No matter what,
We've got your back

 

ProductVulnerable beforePatched version
cPanel/WHM 11.110.0< 11.110.0.9711.110.0.97
cPanel/WHM 11.118.0< 11.118.0.6311.118.0.63
cPanel/WHM 11.126.0< 11.126.0.5411.126.0.54
cPanel/WHM 11.132.0< 11.132.0.2911.132.0.29
cPanel/WHM 11.134.0< 11.134.0.2011.134.0.20
cPanel/WHM 11.136.0< 11.136.0.511.136.0.5
WP Squared< 136.1.7136.1.7

2. If you cannot patch immediately, block these ports

Restrict external access to the following ports via your firewall until patching is complete:

2082 (cPanel)
2083 (cPanel SSL)
2086 (WHM)
2087 (WHM SSL)
2095 (Webmail)
2096 (Webmail SSL)

Strong recommendation

Even after patching, consider permanently restricting WHM and SSH access to known, trusted IP addresses only. This eliminates an entire category of future attack surface for your server’s management interfaces.

3. Check for signs of compromise

  • – Review server logs for suspicious logins or unusual activity on cPanel/WHM ports
  • – Rotate all root and admin credentials – your old passwords should be considered compromised
  • – Check for any new or unexpected cPanel/WHM accounts or API tokens
  • – Review website files and databases hosted on the server for unexpected changes
  • – Check for any new SSH keys added to the server

Official advisory

Read the full guidance directly from cPanel: CVE-2026-41940 Security Update

Why is this so serious?

Compromising WHM is effectively compromising the entire host server. On a shared hosting environment, that means every website, email account, and database for every customer on that server. Security researchers have estimated roughly 650,000 cPanel/WHM instances are publicly accessible on the internet, and exploitation has been confirmed in the wild since at least February 2026 – well before cPanel issued any advisory or patch.

CISA (the US Cybersecurity and Infrastructure Security Agency) has added this vulnerability to its Known Exploited Vulnerabilities catalog, which is reserved for vulnerabilities with confirmed, active real-world exploitation.

Technical deep-dive

This section is aimed at developers, sysadmins, and security teams who want to understand exactly how the vulnerability works. Understanding the root cause helps with both detection and appreciating why a full credential rotation is necessary even after patching.

Background: how cPanel session files work

cPanel’s core service daemon, cpsrvd, handles authentication for both cPanel and WHM. When a login attempt is made – even an unsuccessful one – cpsrvd writes a new session file to disk before any credential validation occurs. These session files are flat key-value text files stored on the server filesystem, and they contain properties like the authenticated username, session token, and access level.

cPanel stores session data in two places simultaneously: a raw text session file and a JSON cache. This dual-storage approach is central to why the exploit works.

The vulnerability: CRLF injection in session file writing

The flaw is a CRLF injection – CRLF stands for Carriage Return Line Feed (\r\n), which is the standard line break in network protocols and many file formats. The attack works as follows:

  1. An attacker sends a login request to port 2087 (WHM) with a crafted Authorization header containing raw \r\n characters in the password field.
  2. Before authentication occurs, cpsrvd writes a session file based on the request data. Because the input is not sanitised, the injected line breaks cause the session file to contain attacker-controlled key-value pairs on new lines – including properties like user=root.
  3. The attacker also manipulates the whostmgrsession cookie value by omitting an expected segment. This causes cPanel to skip the encryption step that would normally be applied to the session data – meaning the raw injected values are trusted as-is.
  4. Due to a race condition between the raw session file and the JSON cache, the injected data persists into the authenticated session store. cPanel’s authentication layer then reads this session and treats the attacker as the root user.
  5. The attacker now has full WHM root-level access with no valid credentials ever having been supplied.

Key point

This is a pre-authentication vulnerability. There are no credentials to steal or brute-force. A single crafted HTTP request is sufficient to gain root access. Attack complexity is rated LOW by CVSS, and a public proof-of-concept has been available since 29 April 2026.

What an attacker can do with WHM root access

WHM provides the highest level of access on a cPanel-managed server. Once inside, an attacker can:

  • Access, modify, or delete every website, database, and email account hosted on the server
  • Create new WHM or cPanel accounts with persistent backdoor access
  • Add SSH keys to maintain access even after password changes
  • Install malware, web shells, or cryptominers at the OS level
  • Exfiltrate customer data, credentials, and private SSL keys
  • Pivot to other servers on the same network
  • Modify DNS records to redirect traffic

CWE classification and CVSS breakdown

The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The full CVSS 3.1 vector is:

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MetricValueMeaning
AV:NNetworkExploitable remotely over the internet
AC:LLow complexityNo special conditions or timing required
PR:NNo privilegesAttacker needs zero existing access
UI:NNo user interactionNo victim needs to click anything
C:H / I:H / A:HHigh / High / HighFull compromise of confidentiality, integrity, and availability

Indicators of compromise (IoCs)

When investigating a potentially compromised server, focus on the following:

  • Unusual session files – check /var/cpanel/sessions/ for session files with unexpected properties or timestamps
  • WHM access logs – review /usr/local/cpanel/logs/access_log for requests to /login/ with unusual Authorization headers, particularly around port 2087
  • New SSH keys – check /root/.ssh/authorized_keys and all user home directories for keys added after February 2026
  • New cPanel accounts – audit all WHM accounts for any created unexpectedly, especially those with reseller or root privileges
  • Cron jobs – review /etc/cron* and /var/spool/cron/ for unexpected scheduled tasks
  • Web shells – scan public web directories for PHP files with base64-encoded payloads or unusual creation dates

Disclosure timeline

~Feb 23, 2026
Earliest confirmed in-the-wild exploitation observed by hosting provider KnownHost. The vulnerability was being actively used as a zero-day.
~Apr 14, 2026
Vulnerability reportedly disclosed to cPanel. Initial response from cPanel indicated nothing was wrong.
Apr 28, 2026
cPanel releases emergency patches across all supported release tracks. Multiple hosting providers (Namecheap, KnownHost, HostPapa, InMotion) preemptively block WHM and cPanel ports across their networks.
Apr 29, 2026
CVE-2026-41940 identifier assigned. watchTowr Labs publishes full technical root cause analysis and proof-of-concept exploit. CISA adds to Known Exploited Vulnerabilities catalog.
Apr 30, 2026
Shadowserver Foundation reports approximately 44,000 unique IPs actively scanning, running exploits, or brute-forcing against honeypot sensors. Mass exploitation underway.

For further reading

The original root cause analysis and proof-of-concept were published by Sina Kheirkhah at watchTowr Labs. If you want the full technical deep-dive including exploit walkthrough, their writeup is the definitive reference: labs.watchtowr.com

Need help securing your server?

If you’re a Vetta customer (or want to be!), we’re here to assist – from checking whether your server is patched, to forensic investigation for signs of compromise, to locking down SSH and WHM access to trusted IPs only. Get in touch with our team.

Contact Vetta

About The Author

Leave a reply

Your email address will not be published. Required fields are marked *