cPanel patches critical authentication bypass flaw after emergency warning

cPanel has released emergency security updates for a critical authentication bypass vulnerability affecting cPanel & WHM, cPanel DNSOnly, and WP Squared.

The flaw is tracked as CVE-2026-41940 and affects cPanel software versions after 11.40. If left unpatched, the issue can allow unauthenticated remote attackers to bypass login protections and gain unauthorized access to the control panel.

Server administrators should update immediately, confirm the installed build, and restart the cPanel service. Hosting providers should also review access logs and restrict exposed management ports where possible.

What happened

cPanel published the emergency security notice on April 28, 2026. The company said the issue affects authentication paths in cPanel software, including DNSOnly.

The advisory lists the issue as an authentication bypass affecting all versions after 11.40. cPanel pushed patched builds across supported release tiers and also released a fixed WP Squared version.

Security companies later identified the flaw as CVE-2026-41940. Rapid7 said the issue carries a critical CVSS 9.8 score and can allow administrative access to affected systems.

At a glance

Item	Details
CVE	CVE-2026-41940
Affected products	cPanel & WHM, cPanel DNSOnly, and WP Squared
Affected versions	cPanel software versions after 11.40
Vulnerability type	Authentication bypass
Severity	Critical
CVSS score	9.8, according to Rapid7
Main risk	Unauthorized control panel or WHM access
Patch date	April 28, 2026
Required action	Update, verify build version, and restart cpsrvd

Patched cPanel versions

Administrators should confirm that their servers run one of the patched cPanel & WHM builds. The fixed versions are listed below.

Release track	Patched version
11.86	11.86.0.41
11.110	11.110.0.97
11.118	11.118.0.63
11.126	11.126.0.54
11.130	11.130.0.19
11.132	11.132.0.29
11.134	11.134.0.20
11.136	11.136.0.5

cPanel also released a patched WP Squared build, version 136.1.7.

Why this flaw is serious

cPanel and WHM sit at the center of many hosting environments. WHM can manage server-level settings, hosting accounts, DNS, SSL certificates, databases, email accounts, backups, and security policies.

If attackers bypass authentication on an exposed WHM or cPanel interface, they may gain access to websites, customer data, email accounts, databases, and server configuration controls.

That kind of access can lead to website defacement, malware hosting, spam campaigns, data theft, credential harvesting, and broader server compromise.

Why hosting providers reacted quickly

Several hosting providers temporarily restricted access to cPanel and WHM ports while patches were being prepared and deployed. Namecheap said it blocked ports 2083 and 2087 as a precaution during the emergency.

This kind of temporary restriction can reduce exposure while administrators patch. It also shows how sensitive cPanel and WHM access is for shared hosting and managed server environments.

Internet-facing management panels are high-value targets because one successful compromise can affect many hosted websites at once.

How to update cPanel manually

Administrators can force the update from the command line. Run the update script as root:

/scripts/upcp --force

After the update finishes, verify the installed cPanel version:

/usr/local/cpanel/cpanel -V

Then restart the cPanel service:

/scripts/restartsrv_cpsrvd

Administrator checklist

• Run /scripts/upcp --force on every managed cPanel server.
• Confirm that the build matches one of the patched versions.
• Restart cpsrvd after the update.
• Check all WHM, cPanel, DNSOnly, and WP Squared systems.
• Review login and session logs for suspicious activity before patching.
• Restrict cPanel and WHM access to trusted IP addresses where possible.
• Enable multi-factor authentication for administrator accounts.
• Block public access to management ports if they do not need internet exposure.

Ports to review

Service	Common ports	Recommended action
cPanel	2082, 2083	Restrict to trusted users and prefer secure access
WHM	2086, 2087	Limit to administrator IP addresses where possible
Webmail	2095, 2096	Monitor for suspicious login attempts

What to check after patching

Patching should come first, but administrators should not stop there. A critical authentication bypass creates a risk that attackers may have attempted access before the fix was applied.

Review recent authentication events, newly created accounts, privilege changes, API token activity, WHM access, and suspicious configuration changes.

Administrators should also check hosted websites for unexpected files, new cron jobs, unusual email sending activity, and signs of web shells.

Post-patch investigation steps

• Review WHM and cPanel login logs for unusual source IP addresses.
• Check for newly created or modified administrator accounts.
• Review API tokens and revoke anything suspicious or unused.
• Check account-level file changes across hosted sites.
• Review cron jobs for unexpected commands.
• Inspect mail queues for spam or abuse activity.
• Check DNS and SSL changes made during the exposure window.
• Rotate administrator passwords if suspicious activity appears.

Unsupported systems need urgent attention

cPanel’s advisory warns that older unsupported versions are likely affected but will not receive the emergency fix.

Administrators running end-of-life cPanel installations should plan an immediate migration to a supported release track. Leaving an unsupported server exposed creates a long-term authentication bypass risk.

Until migration is complete, teams should apply compensating controls such as firewall restrictions, VPN-only access, IP allowlisting, and stronger account monitoring.

Why this matters

This vulnerability affects the management layer of web hosting infrastructure. That makes it more dangerous than a flaw in a single hosted website.

A successful attacker could gain access to the system used to manage many customers, domains, databases, and email accounts. In shared hosting environments, that can turn one exposed control panel into a much wider incident.

The practical response is simple. Patch immediately, verify the build, restart the service, restrict access, and review logs for signs of abuse.

FAQ