Advisory: CVE-2026-41940 — Critical cPanel & WHM Authentication Bypass Actively Exploited in the Wild

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM, including DNSOnly, and WP Squared. The vulnerability affects cPanel versions after 11.40 and allows an unauthenticated remote attacker to gain unauthorized access to the affected control panel. cPanel has released patched versions, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 30, 2026, with a remediation due date of May 3, 2026.

For organizations that host websites, client portals, webmail, databases, or business applications on cPanel-managed infrastructure, this should be treated as an emergency patching event. Successful exploitation can give attackers administrative control over hosting environments, which may lead to website compromise, database theft, credential harvesting, malware deployment, ransomware activity, or full server takeover. cPanel & WHM systems expose root-level administration through WHM, while cPanel provides access to websites, webmail, and databases.

Why This Matters

cPanel is widely used by hosting providers, SMEs, agencies, developers, schools, churches, ecommerce operators, and small financial platforms to manage websites and hosting environments. That makes CVE-2026-41940 more than a “server admin problem.” It is a supply-chain-style exposure for every organization whose web presence depends on shared or managed hosting.

The vulnerability is especially dangerous because it is:

Affected Products

According to cPanel’s official advisory, the issue affects all cPanel software versions after 11.40, including DNSOnly. cPanel has released patched versions for multiple branches, including:

• 11.86.0.41 and higher

• 11.94.0.28 and higher

• 11.102.0.39 and higher

• 11.110.0.97 and higher

• 11.118.0.63 and higher

• 11.124.0.35 and higher

• 11.126.0.54 and higher

• 11.130.0.19 and higher

• 11.132.0.29 and higher

• 11.134.0.20 and higher

• 11.136.0.5 and higher

For WP Squared, the patched version is 136.1.7 and higher. cPanel also notes that later versions are patched as well.

Technical Overview

At a high level, CVE-2026-41940 is an authentication bypass in the cPanel & WHM login flow. Rapid7 describes the issue as involving CRLF injection in the login and session loading process, where session handling behavior can allow attacker-controlled data to be written into session files before authentication is completed. Under certain conditions, this can result in administrative access being established without valid credentials.

The important point for defenders is not the exploit mechanics. The important point is this: if an affected cPanel or WHM interface is reachable from the internet and is not patched, it should be considered at serious risk.

Known Exploitation

This vulnerability is not theoretical. CISA has listed CVE-2026-41940 in the Known Exploited Vulnerabilities catalog, which means there is evidence of in-the-wild exploitation. NVD’s CISA KEV update shows the vulnerability was added on April 30, 2026, with a due date of May 3, 2026, and a required action to apply vendor mitigations, follow applicable cloud-service guidance, or discontinue use if mitigations are unavailable.

CIS also reports active exploitation, public proof-of-concept availability, and post-compromise activity including ransomware, Mirai botnet installation, credential harvesting, and espionage-related activity.

Immediate Actions for System Administrators

1. Patch immediately

Run the cPanel update script:

/scripts/upcp --force

After updating, verify the installed cPanel version and restart cpsrvd:

/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hard

These are the official required actions from cPanel’s advisory.

2. Check for pinned or disabled updates

Some servers may not auto-update if update settings were disabled or pinned to a specific version. cPanel specifically warns administrators to identify and manually update these systems as a priority. For CentOS 7 or CloudLinux 7 systems, cPanel states that administrators need to set the version to 11.110.

3. Apply temporary mitigations if patching is not immediately possible

If immediate patching is not possible, cPanel recommends blocking inbound traffic to the affected management ports and disabling Service Subdomains. The ports listed in the advisory include:

• 2083

• 2087

• 2095

• 2096

cPanel also lists stopping cpsrvd and cpdavd as another mitigation path where necessary. These mitigations should be treated as temporary controls, not replacements for patching.

4. Run cPanel’s detection script

cPanel provides a detection script named ioc_checksessions_files.sh to check for indicators of compromise in session files under /var/cpanel/sessions and references /usr/local/cpanel/logs/access_log as part of its checking logic. Administrators should use the latest version from the vendor advisory because cPanel updated the script multiple times to reduce false positives.

5. Treat suspicious findings as a potential server compromise

If the detection script flags suspicious sessions, do not stop at patching. Assume the attacker may have accessed WHM-level capabilities. At minimum:

• Preserve logs before cleanup.

• Review WHM/cPanel account activity.

• Check for newly created users, API tokens, SSH keys, cron jobs, web shells, and unexpected packages.

• Rotate WHM root credentials, cPanel account passwords, database passwords, FTP/SFTP credentials, API keys, and email credentials.

• Review hosted websites for injected scripts, malicious redirects, unauthorized plugins, and modified .htaccess files.

• Check outbound connections and recently modified files.

• Review backups before restoring anything.

Guidance for Business Owners Using Shared Hosting

Many organizations do not manage their own cPanel servers directly. If your website is hosted by a provider, you should still act.

Ask your hosting provider these questions:

1. Was our hosting server affected by CVE-2026-41940?

2. What cPanel & WHM version is the server currently running?

3. When was it patched?

4. Did you run the vendor detection script?

5. Were any indicators of compromise found?

6. Were cPanel/WHM ports temporarily restricted during the patching window?

7. Should we rotate our website, email, database, FTP, and admin credentials?

8. Can you provide confirmation that our account, files, database, and email accounts were not modified?

For regulated organizations, fintechs, schools, healthcare providers, ecommerce companies, and NGOs handling personal data, this should also trigger a data exposure review.

OurAdvisory Position

CVE-2026-41940 is a reminder that many organizations still treat hosting panels as “background infrastructure,” when in reality they are high-value administrative control planes. A single hosting control panel compromise can become a website breach, email breach, credential breach, database breach, and reputational incident at the same time.

Our recommendation is simple:

Do not expose critical administrative panels to the public internet unless there is a strong business reason and compensating controls are in place.

Organizations should consider:

• IP allowlisting for WHM/cPanel administration.

• VPN or zero-trust access before administrative login pages.

• Strong MFA for hosting and email accounts.

• Centralized logging for hosting environments.

• File integrity monitoring for web roots.

• Routine credential rotation.

• Separation of production websites across accounts or servers.

• Regular backup testing.

• External attack surface monitoring for exposed admin services.

Detection and Monitoring Priorities

Security teams should look for:

• Internet-exposed cPanel/WHM services on ports 2082, 2083, 2086, 2087, 2095, and 2096. Censys lists these as common/default cPanel, WHM, and webmail ports.

• Unexpected WHM logins or administrative actions.

• Suspicious session files under /var/cpanel/sessions.

• New WHM API tokens.

• New cPanel users or modified privileges.

• Unexpected changes in /home/*/public_html.

• Recently modified PHP files, .htaccess files, cron jobs, SSH authorized keys, and webmail accounts.

• Outbound connections from the hosting server to suspicious infrastructure.

• Unusual email-sending spikes that may indicate spam abuse.

• Website redirects to phishing pages or malware delivery infrastructure.

Incident Response Checklist

If you suspect exploitation:

1. Isolate the server from public administrative access.

2. Preserve evidence: logs, session files, process lists, network connections, cron jobs, user lists, and file timestamps.

3. Patch cPanel/WHM to a fixed version.

4. Run the official detection script from cPanel.

5. Rotate all credentials associated with WHM, cPanel, databases, SSH, FTP/SFTP, email, CMS admins, and third-party integrations.

6. Review all hosted websites for web shells, malicious plugins, injected JavaScript, and unauthorized admin accounts.

7. Check backups and confirm whether clean restore points exist.

8. Monitor for reinfection after cleanup.

9. Notify affected customers or stakeholders if data access or website compromise is confirmed.

10. Document the incident for compliance, insurance, and future hardening.

Recommendation

CVE-2026-41940 should be handled as an emergency vulnerability for any organization running cPanel & WHM, WP Squared, or hosting infrastructure managed by a third party. The vulnerability is critical, remotely exploitable, actively exploited, and affects a widely deployed administrative platform.

Patch immediately. Verify the version. Run the official detection script. Restrict administrative exposure. Rotate credentials where compromise is suspected. For organizations that depend on hosting providers, demand written confirmation of patching and compromise checks.

At The Birdling, we recommend that organizations use this incident as a trigger to reassess their broader hosting security posture. The goal is not only to survive CVE-2026-41940, but to reduce the impact of the next pre-authentication flaw before it appears.