A critical authentication bypass vulnerability in cPanel & WHM is being actively exploited, allowing remote attackers to gain full administrative access to affected servers without credentials.
The flaw, tracked as CVE-2026-41940, has received a near-maximum severity score and impacts millions of internet-facing systems.
The issue was disclosed by cPanel on April 28, 2026, and assigned a CVE identifier the following day, with additional technical analysis published by Rapid7 and watchTowr. According to Rapid7’s report, the vulnerability stems from improper handling of session loading and saving, enabling unauthenticated attackers to bypass login controls and take over servers. Hosting provider KnownHost confirmed that exploitation has already been observed in the wild, with evidence suggesting attacks may date back to February 2026.
cPanel & WHM is one of the most widely deployed web hosting control panels, used to manage servers, websites, email, and databases across shared and enterprise hosting environments. WHM provides root-level administrative access, while cPanel serves as the user interface for individual site owners. Given its central role in hosting infrastructure, powering tens of millions of domains, successful exploitation of this vulnerability effectively grants attackers “keys to the kingdom,” allowing them to control hosted websites, access sensitive data, and modify server configurations.
Technical analysis from watchTowr shows that the flaw is caused by a combination of a CRLF (carriage return line feed) injection and flawed session-handling logic. In simple terms, attackers can manipulate session cookies and inject malicious input into session files created by the cpsrvd daemon before authentication completes. By crafting a malicious request, an attacker can insert arbitrary parameters, such as user=root, into the session data, tricking the system into treating them as an authenticated administrator.
Crucially, the vulnerability allows attackers to bypass password verification entirely by injecting specific session attributes that signal a successful login. This enables full administrative access without needing valid credentials. Public proof-of-concept (PoC) exploit code has already been released, significantly lowering the barrier to exploitation and increasing the likelihood of widespread attacks.
Systems running cPanel & WHM are vulnerable if unpatched. A Shodan search suggests that approximately 1.5 million exposed instances could be at risk. With exploitation already confirmed and technical details now public, security researchers expect mass scanning and opportunistic attacks to follow.
cPanel has released patches addressing the issue across multiple supported versions, including:
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
WP Squared version 11.136.1.7 is also patched. Systems running older or unsupported versions may remain exposed.
As an interim response, some hosting providers temporarily blocked access to cPanel and WHM ports (2083 and 2087) across their networks to limit exposure while patches were deployed.
Administrators are strongly advised to apply updates immediately using the built-in cPanel update mechanism and verify that systems are running a patched version.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
