Critical Alert: cPanel & WHM Authentication Bypass (CVE-2026-41940)

Overview

On April 28, 2026, cPanel released an urgent security update to fix a serious vulnerability in cPanel & WHM and WP Squared. Initially described as an issue related to session handling, this vulnerability now officially tracked as CVE-2026-41940 has been given a critical CVSS score of 9.8.

Understanding the cPanel Authentication Bypass Vulnerability

In simple terms, this flaw allows an attacker to bypass login authentication completely and gain unauthorized administrative access to a server. That means a hacker could potentially take full control of your cPanel server, including websites, databases, and configurations.

Considering that over 1.5 million cPanel servers are exposed on the internet, this vulnerability is a major concern for anyone relying on cPanel hosting.

Why This is Dangerous

cPanel & WHM are widely used tools for managing web hosting environments:

• WHM (Web Host Manager) → Root-level server administration
• cPanel → User-level control panel for websites

If exploited, this vulnerability allows attackers to:

• Gain root-level access
• Modify server settings
• Access or manipulate databases
• Compromise hosted websites

This makes cPanel server security a top priority right now.

What’s Happening Technically (Simplified)

The issue lies in how cPanel handles session creation and authentication.

• Before login is complete, cPanel creates a session file
• Attackers can manipulate session cookies (whostmgrsession)
• Using a technique called CRLF injection, they inject malicious data
• This tricks the system into creating a fake session with admin privileges

For example, an attacker can insert something like:

user=root

into the session file without needing valid login credentials.

Once the session reloads, the attacker gets full administrative access.

Active Exploitation in the Wild

Reports from hosting providers like KnownHost suggest that this vulnerability is already being exploited, possibly even before it was publicly disclosed.

Security researchers have also released a proof-of-concept (PoC), which increases the risk of widespread attacks.

Affected Versions

All cPanel versions after 11.40 are affected unless updated to the fixed releases.

Here are some key patched versions:

• 11.86 → Fixed in 11.86.0.41
• 11.110 → Fixed in 11.110.0.97
• 11.118 → Fixed in 11.118.0.63
• 11.126 → Fixed in 11.126.0.54
• 11.130 → Fixed in 11.130.0.19
• 11.132 → Fixed in 11.132.0.29
• 11.134 → Fixed in 11.134.0.20
• 11.136 → Fixed in 11.136.0.5

WP Squared is also affected (fixed in version 136.1.7).

What You Should Do Immediately

If you are running a cPanel server, take action now:

1. Update Your Server (Most Important)

Upgrade to the latest patched version immediately. This is the only reliable fix.

2. Avoid Temporary Workarounds  recommended until server get patched 

Some providers are blocking ports 2083 and 2087, but this is not a permanent solution.

3. Strengthen cPanel Server Security

• Restrict access using firewalls
• Enable IP whitelisting
• Monitor login and session activity
• Use security tools and intrusion detection

4. Invest in WHM Server Management

Professional WHM server management ensures:

• Timely patching
• Vulnerability monitoring
• Proactive threat detection

5. Optimize and Secure Your Environment

Along with patching, focus on cPanel server optimization:

• Remove unused services
• Harden configurations
• Regularly audit server performance and security

Final Thoughts

This vulnerability highlights how critical proper cPanel server security and proactive monitoring are. A single unpatched system can expose your entire infrastructure.

If you’re managing multiple servers or lack in-house expertise, investing in expert WHM server management can help prevent such risks and keep your infrastructure secure and optimized.

Frequently Asked Questions