cPanel authentication bypass flaw is being exploited as public PoC raises patch urgency
5 min. read 
Published on
A critical cPanel and WHM vulnerability is now under active exploitation, and administrators need to patch exposed servers immediately. The flaw is tracked as CVE-2026-41940 and can let unauthenticated remote attackers gain unauthorized access to affected control panels.
The bug affects cPanel software, including DNSOnly deployments, on versions after 11.40. It also affects WP Squared, also known as WP2, which is built around cPanel hosting workflows.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk increased after watchTowr published technical details and a proof-of-concept exploit. CISA has also added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog, with a May 3, 2026 remediation deadline for federal civilian agencies.
At a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-41940 |
| Affected products | cPanel & WHM, DNSOnly, and WP Squared |
| Flaw type | Authentication bypass |
| CWE | CWE-306, missing authentication for critical function |
| Severity | Critical, CVSS 9.8 |
| Exploit status | Actively exploited, with public PoC available |
| CISA KEV deadline | May 3, 2026 |
Why CVE-2026-41940 is dangerous
cPanel and WHM manage hosting accounts, websites, domains, email, databases, DNS, and server configuration. WHM also provides administrative control over hosting environments, which makes this vulnerability especially serious.
A successful attack can expose much more than one website. It can give attackers access to the hosting control layer that manages multiple accounts, files, databases, and customer websites on the same server.
Rapid7 warned that successful exploitation can give an attacker control over the cPanel host system, its configurations, its databases, and the websites it manages. This makes internet-facing cPanel services a high-priority patch target.
How the authentication bypass works
The vulnerability sits in the login and session handling process. Researchers described it as a CRLF injection issue that affects how cPanel handles session loading and saving before authentication completes.
Before login, cpsrvd creates a session file. The flaw allows an attacker to manipulate session data and inject values that can later be treated as valid session properties.
watchTowr showed that the attack can promote a pre-authentication session into a root WHM session. The published exploit chain uses session token handling, token denial behavior, and cache propagation to confirm administrative access.
Public PoC increases exploitation risk
The public proof-of-concept makes the situation more urgent because it lowers the technical barrier for attackers. Security teams should assume scanning and copycat exploitation attempts will increase against exposed cPanel ports.
The PoC targets WHM over port 2087 and demonstrates how an attacker can validate access against vulnerable systems. Other cPanel web services can also create exposure depending on how the server is configured.
Because cPanel servers often host many customer sites, one successful compromise can create a broad incident. Attackers may use access to modify websites, steal databases, create accounts, read email data, or plant persistent backdoors.
Patched versions
| Product branch | Fixed version |
|---|---|
| cPanel & WHM 11.86 | 11.86.0.41 |
| cPanel & WHM 11.110 | 11.110.0.97 |
| cPanel & WHM 11.118 | 11.118.0.63 |
| cPanel & WHM 11.126 | 11.126.0.54 |
| cPanel & WHM 11.130 | 11.130.0.19 |
| cPanel & WHM 11.132 | 11.132.0.29 |
| cPanel & WHM 11.134 | 11.134.0.20 |
| cPanel & WHM 11.136 | 11.136.0.5 |
| WP Squared | 136.1.7 |
What administrators should do now
Administrators should update immediately using the cPanel update script. Servers with pinned versions or disabled automatic updates require manual attention because they may not receive the patch automatically.
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hardcPanel also released a direct update path for CentOS 6 and CloudLinux 6 systems using v110.0.50. Those servers can move to v110.0.103 by setting the update tier first.
whmapi1 set_tier tier=11.110.0.103Temporary mitigations if patching is blocked
cPanel recommends patching as the primary fix. If an organization cannot update immediately, it should reduce exposure by blocking inbound traffic to cPanel and webmail service ports.
- Block inbound access to ports 2083, 2087, 2095, and 2096 at the firewall.
- Stop cpsrvd and cpdavd if blocking ports is not enough for the environment.
- Prioritize exposed WHM services on port 2087.
- Find servers with disabled or pinned update settings.
- Move unsupported cPanel servers to a supported patched version as soon as possible.
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd --stopHow to check for signs of compromise
cPanel published a detection script that checks session files for indicators linked to the exploit. The vendor specifically points administrators to session artifacts under the cPanel sessions directory.
Security teams should also review cPanel access logs, WHM login activity, new account creation, unexpected DNS changes, modified packages, unfamiliar SSH keys, suspicious cron jobs, and changes to hosted websites.
Any server that shows signs of exploitation should go through incident response. Patching closes the flaw, but it does not remove accounts, web shells, stolen credentials, or persistence mechanisms that an attacker may have already created.
Why hosting providers face extra pressure
The vulnerability is especially sensitive for shared hosting providers because one WHM compromise can affect many customer accounts. A single server may host multiple websites, databases, mailboxes, DNS zones, and reseller accounts.
Providers should identify all internet-facing cPanel and WHM instances, confirm the installed build number, and contact customers if service access needs to be restricted during emergency maintenance.
Customers using managed hosting should also ask their provider to confirm the patched cPanel version. They should not assume the provider patched automatically, especially if the environment uses older branches or custom update policies.
FAQ
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM. It can allow unauthenticated remote attackers to gain unauthorized administrative access to vulnerable control panels.
Yes. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, and public exploit code is available.
cPanel says the issue affects all versions after 11.40. Administrators should update to one of the patched builds listed in the vendor advisory.
cPanel recommends blocking inbound traffic on ports 2083, 2087, 2095, and 2096 if immediate patching is not possible.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages