Technical Guides May 1, 2026 Admin

CVE-2026-41940: Critical cPanel & WHM Authentication Bypass — General Guide 2026

CVE-2026-41940: Critical cPanel & WHM Authentication Bypass — General Guide 2026

🚨 CRITICAL SECURITY ADVISORY 🚨

CVE-2026-41940: Critical cPanel & WHM Authentication Bypass — What every website owner and server admin must do right now.

Published: May 1, 2026  |  Severity: CRITICAL — CVSS 9.8 / 10  |  Patch: Available

Affected: All cPanel & WHM versions after v11.40  |  Active exploitation: Confirmed since Feb 23, 2026

Bottom line up front

A critical flaw in cPanel & WHM has been actively exploited since at least February 23, 2026. With a CVSS score of 9.8 out of 10, an attacker does not need your password — a specially crafted request can lead to full root-level administrative access. Millions of cPanel servers are exposed on the internet. If you have not patched yet, patch immediately, then review the rest of this guide.

Introduction: The flaw that shook the hosting world

On April 28, 2026, cPanel issued an emergency security advisory: supported versions of cPanel and WHM contained a critical authentication bypass vulnerability.

Within hours, major hosting providers reportedly restricted access to cPanel ports network-wide while patches were prepared. The issue, tracked as CVE-2026-41940, was later reported to have been exploited in the wild as a zero-day since at least February 2026. Security researchers published technical detail and proof-of-concept material shortly after public disclosure.

This article explains what the vulnerability is, how it was exploited, who is affected, how to fix it, and how to harden your environment afterward.

What is cPanel and WHM?

cPanel is the widely used graphical control panel for managing websites, email, databases, domains, and files from a browser.

WHM (Web Host Manager) is the admin layer used by providers and resellers to manage multiple cPanel accounts on one server. WHM operates with elevated privileges — controlling WHM effectively means controlling the entire server.

Together, cPanel & WHM underpin a very large share of shared hosting worldwide.

What is CVE-2026-41940?

CVE-2026-41940 is an authentication bypass: an attacker may reach cPanel or WHM administrative interfaces without valid credentials, without brute force, phishing, or stolen passwords — by sending a crafted HTTP request. The process can take seconds.

AttributeDetails
CVE IDCVE-2026-41940
CVSS score9.8 / 10.0 — Critical
TypeAuthentication bypass (CWE-306: missing authentication for critical function)
Attack vectorRemote, unauthenticated — no credentials required
Affected softwarecPanel & WHM versions after v11.40; WP Squared up to v136.1.7
DisclosedApril 28, 2026 (cPanel advisory)
CVE assignedApril 29, 2026 (MITRE)
Exploited in the wildYes — confirmed since at least February 23, 2026
Zero-day windowApproximately 2+ months of active exploitation before patch
PatchYes — released April 28, 2026
Exposed instances (reports)Roughly 1.5M+ (e.g. Shodan) to 2M+ (third-party estimates)

Discovery and exploitation timeline

Reports indicate the issue was under coordinated disclosure before the public advisory. Independently, providers have cited exploitation attempts as early as February 23, 2026, implying zero-day use for an extended period prior to patch availability.

After technical details and proof-of-concept code appeared in the wild, mass scanning and automated exploitation typically accelerate. Treat any internet-exposed, unpatched panel as high risk.

What attackers can do after access

With WHM-level access, an attacker may:

  • Read or exfiltrate files across customer accounts on the server
  • Access databases (customer data, email, credentials)
  • Create persistent backdoor accounts
  • Deploy malware, web shells, ransomware, or miners
  • Inject malicious code into customer sites
  • Steal API keys, payment and SMTP credentials from configuration
  • Alter DNS or pivot to internal networks
  • Compromise large numbers of sites on shared infrastructure

If you operate WHMCS on the same server, review admin accounts and logs for unauthorized access after you patch.

Who is affected?

You should assume relevance if you:

  • Run your own VPS or dedicated server with cPanel & WHM
  • Resell cPanel hosting or operate a WHM node
  • Rely on an agency that hosts you on cPanel
  • Use managed WordPress on WP Squared (up to v136.1.7)
  • Use any provider that has not confirmed the emergency patch

Large shared hosts often patched quickly after the advisory — still verify with your provider and watch your accounts for suspicious activity. If you run your own server, patching is your responsibility.

How to fix it: step-by-step

Step 1: SSH in as root

Connect to the server as root (SSH or your provider’s serial/web console).

Step 2: Force cPanel update

/scripts/upcp --force

This forces an immediate update to the latest patched build on your tier.

Step 3: Verify version

/usr/local/cpanel/cpanel -V

Compare the output to the minimum safe versions for your release track:

Release trackMinimum safe version
11.86.x11.86.0.41
11.110.x11.110.0.97
11.118.x11.118.0.63
11.126.x11.126.0.54
11.130.x11.130.0.19
11.132.x11.132.0.29
11.134.x11.134.0.20
11.136.x11.136.0.5
WP Squared136.1.7

Step 4: Restart cPanel services

service cpanel restart
# or
/usr/local/cpanel/scripts/restartsrv_cpsrvd

Step 5: If you cannot patch immediately

Block inbound access to cPanel/WHM ports at the firewall until you can upgrade or migrate. Example iptables drops (adjust for your environment):

iptables -I INPUT -p tcp --dport 2083 -j DROP
iptables -I INPUT -p tcp --dport 2087 -j DROP
iptables -I INPUT -p tcp --dport 2095 -j DROP
iptables -I INPUT -p tcp --dport 2096 -j DROP

If you use CSF or another firewall manager, apply equivalent rules to restrict those ports to trusted IPs only.

Post-patch security checklist

Patching stops new abuse of this flaw; it does not undo past compromise. After patching:

  • Change root and all WHM/reseller passwords
  • Enable two-factor authentication for WHM where available
  • Restrict WHM (e.g. port 2087) to trusted IPs
  • Review WHM login logs for unfamiliar IPs
  • Check /etc/passwd for unexpected UID 0 accounts
  • Scan web roots for recently modified suspicious .php files
  • Review cron entries for unauthorized jobs
  • Audit WHMCS (and other billing) admin users and activity logs
  • Ask end users to rotate cPanel passwords and enable 2FA

Signs you may already be compromised

Examples of checks administrators run (adapt paths to your policies):

# Session artifacts
ls -la /var/cpanel/sessions/raw/

# Recent successful WHM logins
tail -500 /usr/local/cpanel/logs/login_log | grep -i success

# Accounts with UID 0 (should normally be only root)
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Recently modified PHP under common docroots (example)
find /home /var/www -name '*.php' -mtime -90 -ls 2>/dev/null | tail -50

Conclusion

CVE-2026-41940 is a severe issue for hosting infrastructure: exploitation began well before broad public awareness, and technical detail is now public. Patch first, then audit, rotate credentials, and tighten network access to administrative interfaces.

Subscribe to vendor security channels and keep automatic updates enabled where appropriate. Official documentation and advisories: docs.cpanel.net.

Hosting billing on WHMCS?

After you secure cPanel/WHM, review automation and payment flows — see WHMCS modules and integrations at whmcsmodules.net.

Browse products

Related Articles

View All Articles →