WHMCS 9.0.4 Security Update – How to Patch CVE-2026-29204 on Your IPTV Server
On May 13, 2026, WHMCS released an important security update: version 9.0.4 for the 9.x series and version 8.13.3 for the 8.x series. Both releases address a confirmed security vulnerability, CVE-2026-29204, that affects WHMCS installations from version 7.4.0 onward that have not been patched.
If you run an IPTV reseller business on WHMCS, treat this update as mandatory. Below: what the flaw is, which versions are affected, how to update safely, and confirmation that modules from whmcsmodules.net are compatible with WHMCS 9.0.4.
What is CVE-2026-29204?
CVE-2026-29204 is an authorization vulnerability in the WHMCS Client Area. WHMCS does not sufficiently verify that a logged-in user is allowed to access the resource they request.
Under specific conditions, an authenticated user (someone with a valid client-area login) could abuse the flaw to act on another client account, including:
- Viewing another client services and subscription details
- Accessing invoices and billing data for another account
- Cancelling or modifying services the attacker does not own
- Initiating SSO flows under another user identity
Exploitation requires a valid client session; it is not a blind unauthenticated remote exploit. For IPTV resellers who allow public signups, any registered customer could meet that requirement, which raises the risk profile sharply.
WHMCS published the security advisory on May 12, 2026 and released patched builds on May 13, 2026. Always follow the official WHMCS security announcements and system requirements for your branch.
Which WHMCS versions are affected?
CVE-2026-29204 affects every WHMCS installation from 7.4.0 onward that is not on a patched release.
| WHMCS series | Vulnerable versions | Patched version |
|---|---|---|
| 9.x | 9.0.0 – 9.0.3 | 9.0.4 |
| 8.x | 8.0.0 – 8.13.2 | 8.13.3 |
| 7.x | 7.4.0 and later | No 7.x patch — upgrade required |
If you are on WHMCS 7.x after 7.4.0, you must move to 8.13.3 or 9.0.4 to receive the fix. A 7.x to 8.x or 9.x move is a major upgrade: plan downtime, backups, and review WHMCS update guidance before you start.
WHMCS Cloud: hosted WHMCS Cloud environments are patched by the vendor; confirm in your vendor notice if you are on that platform.
Why IPTV resellers should patch immediately
- High client volume — more active accounts means more potential targets if one account is malicious.
- Sensitive data — playlists, panel credentials, device identifiers, and payment context often live beside WHMCS service records.
- Public signups — many IPTV brands allow anyone to register, which satisfies the authenticated-session requirement for abuse.
- Competitive pressure — rivals can register as clients; do not assume every signup is a buyer.
Schedule the update for today if you are still on an affected build.
How to update to WHMCS 9.0.4 (step by step)
Before you update
1. Back up the database — export a full SQL dump of your WHMCS database and store it off-server.
2. Back up WHMCS files — archive the full installation directory (custom templates, modules, attachments paths) so you can roll back.
3. Pause cron temporarily — disable the WHMCS cron entry so automated jobs do not run mid-upgrade.
Run the update
4. Log in to WHMCS admin.
5. Open Utilities → Update WHMCS.
6. Confirm your current version and that 9.0.4 (or your target patch) is offered.
7. Run the built-in updater and wait for completion (often a few minutes on healthy hosting).
8. Re-enable cron after success.
9. Revisit Utilities → Update WHMCS and confirm the installed version reads 9.0.4.
Updating to WHMCS 8.13.3
The flow matches the 9.0.4 steps: Utilities → Update WHMCS, confirm 8.13.3, then apply. If you lag several minor releases behind, the updater may require intermediate hops; follow the on-screen prompts.
Temporary mitigation (only if you cannot patch yet)
If templates or third-party hooks block an immediate upgrade, community discussions describe a temporary hook-based mitigation around client-area product detail authorization. Treat any hook as short-term only: it does not replace the vendor fix. Search trusted WHMCS community forums for vetted examples, validate code yourself, and remove the hook after you install 9.0.4 or 8.13.3.
What else ships in WHMCS 9.0.4
Beyond CVE-2026-29204, maintenance in the 9.0 line has included items such as Stripe gateway improvements, Nexus cart and session refinements, system health checks for PHP support, activity log handling, and fixes for renewal edge cases on cancelled services. Moving straight to 9.0.4 pulls those cumulative fixes into one jump if you are behind.
For authoritative change detail, use the official WHMCS 9.0 change log and release notes for your edition.
Are whmcsmodules.net modules compatible with WHMCS 9.0.4?
Yes. You can upgrade WHMCS without ripping out your existing whmcsmodules.net installs. Spot-check these popular stacks after any core upgrade:
Provisioning modules
- XUI Reseller Panel
- 8K Panel Dashboard
- MegaOTT Panel Dashboard
- NXT Reseller Panel
- Stream One Panel
- Activated Panel
Payment gateways
- IPTV Stripe Payment Gateway
- IPTV PayPal Payment Gateway
- IPTV H2H Cryptomus Payment Gateway
- IMAP gateways (Cash App, Venmo, Zelle, PayPal IMAP, Wise, Payoneer, Nayapay) — same compatibility baseline
Addons
If anything behaves oddly after the core upgrade, open a ticket with [email protected] and include your WHMCS version and module name.
After updating — review activity logs
In Utilities → Activity Log, scan for odd patterns from before the patch window:
- Service views or edits from unexpected IPs
- Clients touching invoices or products that are not theirs
- Unusual SSO or login bursts
- Cancellations that do not match normal support traffic
Rotate admin passwords if you see confirmed abuse, and audit affected client records.
Frequently asked questions
Do I need to update if I use WHMCS Cloud?
No. WHMCS Cloud customers are patched by the vendor; confirm in your account notice if you are unsure.
Does 8.13.3 include the same fix?
Yes — stay on 8.13.3 if you are not ready for 9.x yet.
Must I reinstall whmcsmodules.net modules after 9.0.4?
No reinstall is required for compatibility; only patch WHMCS core unless a module release note says otherwise.
What if I am stuck on WHMCS 7.x?
There is no 7.x security backport for this CVE in the table above — plan an upgrade path to 8.13.3 or 9.0.4 with professional help if needed.
How long does the auto-updater take?
Typically a few minutes on healthy hardware; backups always take longer than the click path and are worth it.
Will active IPTV subscriptions break?
A successful in-place WHMCS upgrade preserves database service records; always verify a test order after major core jumps.
Conclusion
CVE-2026-29204 is a serious client-area authorization issue for WHMCS 7.4.0 and newer until you reach 9.0.4 or 8.13.3. IPTV operators with public signups should treat patching as urgent.
Use Utilities → Update WHMCS, keep backups, then review logs. Your WHMCS modules for IPTV catalog remains aligned with current WHMCS releases — update the core first, then open a support thread if a specific edge case appears.
