A critical authentication bypass vulnerability, CVE-2026-41940, has been actively exploited in the wild against cPanel & WHM and WP2 (WordPress Squared), putting approximately 1.5 million internet-exposed hosting servers at risk of complete, unauthenticated takeover.
WebPros has disclosed a maximum-severity authentication bypass vulnerability in its flagship products cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) tracked as CVE-2026-41940.
The flaw carries a CVSS score of 9.8 out of 10, placing it firmly in the critical category, and is classified under CWE-306 (Missing Authentication for Critical Function). According to the National Vulnerability Database (NVD), the flaw affects all cPanel & WHM versions after 11.40, meaning virtually every supported deployment worldwide is affected unless patched.
The vulnerability lies in the login flow and session management, allowing unauthenticated remote attackers to completely bypass authentication and gain unauthorized administrative access to the web hosting control panel.
The flaw was publicly disclosed on April 28, 2026, with CVE assignment confirmed on April 29, 2026, and immediately added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with a remediation due date of May 3, 2026.
Technical Root Cause: CRLF Injection in Session Handling
Security firm watchTowr performed a deep-dive technical analysis and confirmed that CVE-2026-41940 is rooted in a Carriage Return Line Feed (CRLF) injection vulnerability within cPanel’s session loading and saving subsystem. Here is how the attack chain works:
Before any authentication occurs, the cpsrvd (cPanel service daemon) writes a pre-authentication session file to disk. An attacker can manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, which bypasses the encryption layer that would normally be applied to attacker-controlled data.
The attacker then injects raw \r\n characters via a malicious Basic Authorization header. Because the system writes the session file without sanitizing the input, the attacker can embed arbitrary session properties such as user=root directly into their session file. Upon triggering a reload of that session, the attacker establishes root-level administrative access.
This means exploitation requires no credentials, no special privileges, and no user interaction, making it trivial to weaponize, especially with a public proof-of-concept (PoC) already available from watchTowr.
Zero-Day Exploitation Since February 2026
Perhaps the most alarming aspect of CVE-2026-41940 is its timeline for exploitation. Managed hosting provider KnownHost confirmed, via a Reddit post, that active in-the-wild exploitation began as early as February 23, 2026, over two months before public disclosure.
This means threat actors silently exploited this zero-day against unsuspecting hosting customers for an extended period before a patch was available.
Successful exploitation of CVE-2026-41940 grants an attacker full control over the cPanel host system, including its configurations, databases, and every website managed on the shared hosting environment.
According to the Canadian Center for Cyber Security, attackers can modify server-wide configurations and potentially compromise all websites hosted on the affected server in a single attack.
A Shodan query by Rapid7 revealed approximately 1.5 million internet-accessible cPanel instances that may be exposed to attacks. Hosting providers, including KnownHost, HostPapa, InMotion, and Namecheap, immediately blocked access to cPanel & WHM TCP ports 2083 and 2087 as an emergency containment measure.
Affected Versions
All cPanel & WHM versions after 11.40 and all WP Squared versions before 136.1.7 are vulnerable. The following fixed versions have been released:
| Product | Fixed Version |
|---|---|
| cPanel & WHM 11.86.0 | 11.86.0.41 |
| cPanel & WHM 11.110.0 | 11.110.0.97 |
| cPanel & WHM 11.118.0 | 11.118.0.63 |
| cPanel & WHM 11.126.0 | 11.126.0.54 |
| cPanel & WHM 11.130.0 | 11.130.0.19 |
| cPanel & WHM 11.132.0 | 11.132.0.29 |
| cPanel & WHM 11.134.0 | 11.134.0.20 |
| cPanel & WHM 11.136.0 | 11.136.0.5 |
| WP Squared (WP2) | 136.1.7 |
If a server is running an unsupported or legacy cPanel version not listed above, it remains vulnerable, and upgrading to a supported release is strongly recommended.
Mitigation
CISA’s BOD 22-01 directive mandates that federal agencies and cloud service operators remediate CVE-2026-41940 by May 3, 2026. For all other organizations, the following actions are strongly advised:
- Patch immediately, Upgrade to the respective fixed cPanel & WHM or WP Squared version listed above
- Run the detection script published by cPanel to identify signs of compromise on your server
- Use watchTowr’s Detection Artifact Generator to hunt for exploitation indicators in session files
- Block ports 2083 and 2087 temporarily if patching cannot be performed immediately, as a short-term workaround
- Audit server logs for unusual session activity going back to at least February 23, 2026, the earliest confirmed exploitation date.
- Discontinue use of the product if mitigations cannot be applied, per CISA guidance.
FAQ
Q1: What is CVE-2026-41940?
It is a critical (CVSS 9.8) authentication bypass vulnerability in cPanel & WHM and WP2 that lets unauthenticated remote attackers gain full administrative access via CRLF injection in the session management process.
Q2: Is CVE-2026-41940 being actively exploited?
Yes, exploitation has been confirmed in the wild since at least February 23, 2026, two months before public disclosure, with a public PoC now further lowering the exploitation barrier.
Q3: Which versions of cPanel are affected?
All cPanel & WHM versions after 11.40 are affected; users must upgrade to the vendor-supplied fixed versions, with WP Squared users needing version 136.1.7 or later.
Q4: How many servers are exposed to CVE-2026-41940?
A Shodan search identified approximately 1.5 million internet-accessible cPanel instances that may be vulnerable to this authentication bypass attack.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
