A critical vulnerability in cPanel and WebHost Manager (WHM) is being actively exploited in the wild. Tracked as CVE-2026-41940, the flaw allows unauthenticated attackers to bypass login protections and gain unauthorized access to affected control panels.
cPanel has released security updates, and administrators are strongly urged to patch immediately. You can find the official vendor guidance in the cPanel CVE-2026-41940 security advisory. (cPanel Support)
Why this vulnerability matters
cPanel and WHM are widely used by hosting providers, resellers, managed service providers, and website administrators to manage websites, databases, email accounts, DNS, and server settings.
This makes CVE-2026-41940 especially dangerous. A successful attack does not only affect one website. If WHM access is obtained, an attacker may be able to control the entire hosting environment, including multiple customer accounts on the same server.
In practical terms, attackers could potentially:
- Access hosted websites and customer data
- Modify files or databases
- Create backdoor accounts
- Deploy malware or botnet payloads
- Steal credentials
- Pivot deeper into victim networks
Security researchers have reported active exploitation shortly after public disclosure. The vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming that it is being exploited in real-world attacks. (NVD)
For administrators, this should be treated as an urgent server security and vulnerability management issue.
What is CVE-2026-41940?
CVE-2026-41940 is an authentication bypass vulnerability affecting cPanel and WHM versions after 11.40.
According to public technical analysis, the issue is related to weaknesses in the login and session handling process. Rapid7 describes the vulnerability as a CRLF injection issue in the cPanel and WHM login/session loading process, which can allow an attacker to gain unauthorized administrative access. (Rapid7)
In simple terms, the vulnerability may allow an attacker to trick the control panel into treating them as an authenticated user without knowing the correct password.
Because cPanel and WHM are administrative tools, this type of flaw is far more serious than a normal website bug. It affects the control layer used to manage hosting accounts, files, domains, databases, and email services.
Who is being targeted?
Reported exploitation has included attacks against:
- Government and military-related domains
- Managed service providers
- Hosting providers
- Internet-facing cPanel and WHM systems
- Servers later used for scanning or brute-force activity
Researchers have also observed opportunistic exploitation by multiple third parties. Some activity has reportedly involved botnet deployment attempts and ransomware-related payloads.
Because cPanel is commonly exposed to the internet, vulnerable servers can be found and attacked quickly once exploit details become public. This is why administrators should not delay patching.
Affected versions
The vulnerability affects multiple supported cPanel & WHM release branches. Vulnerable ranges include:
| Product | Vulnerable versions | Fixed version |
|---|---|---|
| cPanel & WHM | 11.40.0.0 to below 11.86.0.41 | 11.86.0.41+ |
| cPanel & WHM | 11.88.0.0 to below 11.110.0.97 | 11.110.0.97+ |
| cPanel & WHM | 11.112.0.0 to below 11.118.0.63 | 11.118.0.63+ |
| cPanel & WHM | 11.120.0.0 to below 11.124.0.35 | 11.124.0.35+ |
| cPanel & WHM | 11.125.0.0 to below 11.126.0.54 | 11.126.0.54+ |
| cPanel & WHM | 11.128.0.0 to below 11.130.0.19 | 11.130.0.19+ |
| cPanel & WHM | 11.132.0.0 to below 11.132.0.29 | 11.132.0.29+ |
| cPanel & WHM | 11.134.0.0 to below 11.134.0.20 | 11.134.0.20+ |
| cPanel & WHM | 11.136.0.0 to below 11.136.0.5 | 11.136.0.5+ |
| WP Squared | 11.136.1 to below 11.136.1.7 | 11.136.1.7+ |
Administrators should compare their installed version with the fixed versions listed in the official cPanel advisory. (cPanel Support)
Recommended actions
Administrators should treat this as an emergency patching situation.
1. Update cPanel immediately
Run the cPanel update process and confirm that the server is on a fixed version:
/scripts/upcp --force
After updating, verify the installed build and restart the relevant services if required.
2. Restrict access to cPanel and WHM ports
Until patching is complete, restrict inbound access to common cPanel, WHM, webmail, and related ports:
- 2083
- 2087
- 2095
- 2096
If these interfaces do not need to be publicly reachable, limit access to trusted IP addresses only. This is especially important for exposed hosting infrastructure and managed service environments.
3. Run the official detection script
cPanel has published detection guidance and updated its script to reduce false positives. Administrators should use the official cPanel-provided script to check for possible indicators of compromise. (cPanel Support)
Suspicious indicators may include unusual session states, malformed authentication-related session data, unexpected two-factor authentication session attributes, or abnormal login/session behavior.
4. Assume exposed vulnerable servers may be compromised
Because exploitation has been reported in the wild, patching alone may not be enough for systems that were exposed before being updated.
Administrators should review:
- WHM and cPanel access logs
- Newly created accounts
- Unexpected SSH keys
- Cron jobs and systemd services
- Suspicious files in customer web directories
- Recently modified PHP files
- Unknown VPN, proxy, tunneling, or remote access tools
- Outbound connections to unusual IP addresses
This step is important for both malware removal and broader incident response workflows.
5. Rotate credentials after cleanup
After confirming the system is patched and cleaned, rotate sensitive credentials, including:
- WHM root credentials
- cPanel account passwords
- Database passwords
- FTP/SFTP credentials
- API tokens
- Hosting reseller credentials
Credential rotation should happen after investigation and cleanup, not before. Otherwise, attackers with persistent access may simply capture the new credentials again.
Why hosting providers should move quickly
For hosting providers and MSPs, this vulnerability is especially serious because one compromised WHM instance can expose many downstream customers. A single server may host hundreds of websites, email accounts, databases, and business applications.
This is why several hosting providers temporarily restricted access to cPanel and WHM ports while applying emergency patches. Blocking access may be disruptive, but it is safer than leaving a vulnerable management interface exposed during active exploitation.
Final thoughts
CVE-2026-41940 is not a routine web vulnerability. It affects the management layer of hosting infrastructure and can give attackers broad control over affected servers.
Website owners using shared hosting should contact their provider to confirm that patches have been applied. Server administrators, MSPs, and hosting companies should update immediately, check for compromise, and restrict access to control panel interfaces wherever possible.
Recommended priority: Critical — patch and investigate immediately.
Sources
- cPanel Security Advisory: CVE-2026-41940 — cPanel & WHM / WP2 Security Update
- NVD: CVE-2026-41940
- Rapid7: CVE-2026-41940 cPanel & WHM Authentication Bypass
- watchTowr Labs: cPanel & WHM Authentication Bypass CVE-2026-41940
- CISA Known Exploited Vulnerabilities Catalog entry via NVD reference
Founder of ToolsLib, Designer, Web and Cybersecurity Expert.
Passionate about software development and crafting elegant, user-friendly designs.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
