cPanel has released security updates to address a security issue impacting various authentication paths that could allow an attacker to obtain access to the control panel software.
The problem affects all currently supported versions of cPanel and WebHost Manager (WHM), according to an alert published by WebPros on Tuesday. It does not have an official identifier. The issue has been addressed in the following versions –
- 11.86.0.41
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.130.0.19
- 11.132.0.29
- 11.136.0.5
- 11.134.0.20
“If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” cPanel noted.
While cPanel did not share any details about the vulnerability, web hosting and domain registration company Namecheap disclosed that it “relates to an authentication login exploit that could allow unauthorized access to the control panel.”
As a precautionary measure, the company has applied a firewall rule to block access to TCP ports 2083 and 2087, a move it said will temporarily restrict customer access to their cPanel and WHM interfaces until a full patch is applied.
“Our team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available,” Namecheap noted. “Access to your control panels will be restored immediately once the patch has been successfully deployed.”
As of April 29, 2026, 02:42 a.m. UTC, the fix has been applied to Reseller, Stellar Business servers, and the rest, according to the Namecheap Support Team.
Flaw Now Tracked as CVE-2026-41940; Exploited as 0-Day
The authentication bypass vulnerability has been assigned the CVE identifier CVE-2026-41940, and carries a CVSS score of 9.8 out of 10.0. In an update to its advisory, cPanel said patches have also been pushed to WP Squared version 136.1.7.
“cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD).
cPanel has also urged customers to perform the following actions –
- Update the server to one of the above-listed versions immediately via the cPanel update script (“/scripts/upcp –force”)
- Verify and confirm the cPanel build version being returned and perform a restart
As mitigations until a patch can be applied, the company is suggesting the following steps –
- Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall, or
- Stop cpsrvd and cpdavd
Reports on Reddit indicate that the vulnerability has been under active exploitation as a zero-day, with KnownHost CEO Daniel Pearson noting that “this has absolutely been used in the wild, and has been seen at least for the last 30 days if not longer.” The Hacker News has reached out to cPanel for more information, and we will update the story if we hear back.
cPanel has released a detection script to look for indicators of compromise –
- Session has both token_denied AND cp_security_token and method=badpass origin
- Pre-authenticated session with authenticated attributes
- Any session with tfa_verified but no valid origin
- Password field containing newlines
“Compromise of cPanel is materially different from the compromise of a single customer website. WHM grants root administrative access to the server,” Hadrian said. “An attacker with this access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials, and pivot into customer networks.”
In a post shared on LinkedIn, Eye Security said it identified over 2 million cPanel instances connected to the internet, although it’s currently not known how many of those have auto-update enabled and are vulnerable to the flaw.
watchTowr Labs, which published additional technical specifics about the flaw, said inconsistencies in cPanel’s authentication flow can be exploited by add actors to bypass login checks and access accounts.
In its own advisory for the vulnerability, Rapid7 said CVE-2026-41940 is caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel and WHM, allowing an attacker to gain unauthorized administrative access to the affected systems –
Before authentication occurs, `cpsrvd` (the cPanel service daemon) writes a new session file to the disk. The vulnerability allows an attacker to manipulate the `whostmgrsession` cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value.
Attackers can inject raw `rn` characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as `user=root`, into their session file. After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token.
“Let’s call this what it is: an unauthenticated authentication bypass in cPanel and WHM, a management-plane solution deployed on tens of thousands of servers and sitting in front of a meaningful chunk of the internet,” Benjamin Harris, CEO and founder of watchTowr, told The Hacker News.
“Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own product. hosting.com, Namecheap, KnownHost, HostPapa, InMotion and the rest all pulled the emergency brake because the alternative was watching their entire customer base get owned in real-time.”
