Critical Authentication Bypass Vulnerability in cPanel & WHM (CVE-2026-41940)

hello@craftedsignal.io — Thu, 30 Apr 2026 12:16:14 +0000

A critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel & WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel & WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.

Attack Chain

An unauthenticated attacker identifies a cPanel & WHM server exposed to the internet.
The attacker crafts a malicious HTTP request targeting the cPanel & WHM login endpoint.
The crafted request manipulates session creation and processing by injecting controlled data into the session files.
This injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.
The attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.
With administrative privileges, the attacker gains full control over the cPanel server.
The attacker accesses hosted websites and databases, potentially compromising sensitive data.
The attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.

Impact

Successful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel & WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel & WHM makes this a high-impact vulnerability.

Recommendation

Apply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.
Implement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.
Review web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.
Monitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.

cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)

hello@craftedsignal.io — Wed, 29 Apr 2026 16:16:25 +0000

On April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.

Attack Chain

An unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.
The vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.
The attacker gains unauthorized access to the cPanel/WHM interface.
The attacker enumerates the server to identify valuable files, directories, and database configurations.
The attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.
The attacker executes uploaded payloads to establish persistent access, such as a web shell.
The attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.
The attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.

Recommendation

Immediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.
Monitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule DetectCpanelAuthBypassAccess.
Implement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule DetectCpanelAccountManipulation.

CPanel — CraftedSignal Threat Feed

Critical Authentication Bypass Vulnerability in cPanel & WHM (CVE-2026-41940)

Attack Chain

Impact

Recommendation

cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)

Attack Chain

Impact

Recommendation