cPanel & WHM Multiple Vulnerabilities Leading to Privilege Escalation
Multiple vulnerabilities in cPanel & WHM and WP Squared allow authenticated users to escalate privileges, execute arbitrary code, and cause denial-of-service conditions by exploiting improper input validation and unsafe symlink handling.
Multiple vulnerabilities have been identified in cPanel & WHM versions 11.136.0.8 and lower, 11.134.0.24 and lower, 11.132.0.30 and lower, 11.130.0.21 and lower, 11.126.0.57 and lower, 11.124.0.36 and lower, 11.118.0.65 and lower, 11.110.0.115 and lower, 11.110.0.116 and lower, 11.102.0.40 and lower, 11.94.0.29 and lower, 11.86.0.42 and lower, and WP Squared version 11.136.1.9 and higher. These vulnerabilities include a Perl code injection flaw in the create_user API call (CVE-2026-29201), an unsafe symlink handling error that allows arbitrary file modification (CVE-2026-29202), and an arbitrary file read vulnerability in the feature::LOADFEATUREFILE adminbin call (CVE-2026-29203). Successful exploitation of these vulnerabilities can lead to privilege escalation, arbitrary code execution, and denial-of-service conditions.
Attack Chain
- An authenticated user logs into cPanel & WHM.
- The user crafts a malicious
create_userAPI call, injecting Perl code into thepluginparameter (CVE-2026-29201). - The crafted API call is sent to the cPanel & WHM server.
- The server executes the injected Perl code on behalf of the authenticated user’s system account.
- Alternatively, the user exploits the unsafe symlink handling error (CVE-2026-29202) to manipulate file permissions using chmod on arbitrary files via a crafted request.
- A user exploits the
feature::LOADFEATUREFILEadminbin call (CVE-2026-29203) by providing a relative path, causing an arbitrary file to become world-readable. - An attacker leverages the ability to read arbitrary files to gain sensitive information.
- The attacker uses the escalated privileges or sensitive information to further compromise the system.
Impact
Successful exploitation of these vulnerabilities can lead to significant impact. An attacker can execute arbitrary code with the privileges of the cPanel user, potentially compromising the entire hosting environment. The unsafe symlink handling error can lead to denial of service by modifying critical system files or privilege escalation. The arbitrary file read vulnerability can expose sensitive information, such as configuration files or credentials. The CCB warns of a high impact on confidentiality, integrity, and availability.
Recommendation
- Immediately patch cPanel & WHM and WP Squared to the latest versions to remediate CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.
- Monitor cPanel & WHM logs for suspicious API calls to
create_userwith unusualpluginparameters to detect potential CVE-2026-29201 exploitation. - Implement the Sigma rule “Detect cPanel create_user API Abuse” to identify potential attempts to inject Perl code via the
create_userAPI call. - Monitor file permission changes, especially involving chmod, for unusual activity that may indicate exploitation of CVE-2026-29202.
Detection coverage 3
Detect cPanel create_user API Abuse
highDetects CVE-2026-29201 exploitation — identifies suspicious cPanel create_user API calls with potentially malicious Perl code in the plugin parameter, indicating a possible code injection attempt.
Detect CVE-2026-29202 - Suspicious Chmod Usage
mediumDetects CVE-2026-29202 exploitation — Identifies attempts to modify file permissions (chmod) on system files which may lead to privilege escalation or denial of service.
Detect CVE-2026-29203 - Arbitrary File Read via adminbin
mediumDetects CVE-2026-29203 exploitation — Detects access to sensitive files by abusing the LOADFEATUREFILE functionality in adminbin.
Detection queries are available on the platform. Get full rules →