cPanel and WHM administrators face a new wave of high‑severity vulnerabilities that affect multiple supported branches, including recent WP Squared builds, with at least one bug already weaponized in the wild and others opening the door to header injection, man‑in‑the‑middle attacks, code execution, and privilege escalation if left unpatched.
Immediate patching and hardening of DNS clusters, AutoSSL, and authentication paths is now critical to prevent compromise of shared hosting infrastructure at scale.
cPanel has released a coordinated set of May 2026 security updates addressing multiple CVEs across cPanel & WHM and WP Squared (WP2), including CVE‑2026‑29201, CVE‑2026‑29202, CVE‑2026‑29203, CVE‑2026‑29205, CVE‑2026‑29206, CVE‑2026‑32991, CVE‑2026‑32992, and CVE‑2026‑32993.
These flaws affect a broad range of versions (86, 94, 102, 110, 118, 124, 126, 130, 132, 134, and 136, including specific CloudLinux and WP2 builds), making this one of the most wide‑ranging cPanel security rollups in recent memory.
Security advisories and hosting‑provider alerts note that several of the issues are rated High to Critical, with CVSS scores up to 8.8 for some local‑to‑remote escalation paths, and at least one earlier cPanel issue (CVE‑2026‑41940) confirmed as a zero‑day exploited since February 2026.
Hosting providers have responded by fast‑tracking patch deployments and, in some cases, temporarily restricting access to management ports to buy time for mitigation.
New cPanel May 2026 Patch
CVE‑2026‑32993 is a newly disclosed high‑severity flaw in the cpsrvd component that allows arbitrary HTTP header injection into responses via an unauthenticated endpoint.
According to public CVE data, improper sanitization of the status query parameter in the unproallowsed/nova_error endpoint lets an unauthenticated attacker to supply crafted values that are reflected as headers in the server’s response.
In practice, this can enable cache poisoning, HTTP response splitting, or complex redirect chains, and it may act as a powerful building block in attack chains against upstream proxies, WAFs, or Single Sign‑On frontends.
Because the endpoint is unauthenticated and exposed via cpsrvd, mass scanning and opportunistic exploitation are realistic threats if administrators delay patching.
CVE‑2026‑32992 stems from insufficient SSL verification in the DNS Cluster system, where SSL checks were not fully enforced for cluster peers.
The cPanel advisory notes that this weakness could allow a malicious server, or an attacker who can coerce DNS‑cluster traffic through a rogue node, to perform a man‑in‑the‑middle attack and capture credentials used for inter‑node communication.
In a typical hosting environment, DNS clusters synchronize zone data and often store privileged API tokens or passwords, so interception at this layer can escalate to full control over DNS records and downstream services.
This makes CVE‑2026‑32992 particularly dangerous for multi‑server deployments that rely heavily on automated DNS replication across regions or providers.
The May 8, 2026, advisory highlighted three closely related vulnerabilities, CVE‑2026‑29201, CVE‑2026‑29202, and CVE‑2026‑29203, that enable arbitrary file reads, code execution, and privilege escalation via unsafe input validation and symlink handling.
cPanel describes CVE‑2026‑29201 as insufficient validation of the feature file name parameter in the feature::LOADFEATUREFILE adminbin call, which a privileged user can abuse to read arbitrary files.
CVE‑2026‑29202 is more severe: inadequate validation of the plugin parameter in the create_user API can result in arbitrary Perl code execution under the context of the authenticated system user, effectively turning misconfigured or compromised accounts into a pivot for lateral movement.
CVE‑2026‑29203 is an unsafe symlink handling bug that allows a user to manipulate file permissions via chmod, causing denial‑of‑service or privilege escalation by targeting critical system paths.
Additional vulnerabilities, including CVE‑2026‑29205 and CVE‑2026‑29206, are covered in the May 13 roll‑up and are mentioned in both cPanel’s advisory and third‑party summaries as contributing to privilege escalation risk across multiple supported branches.
These issues have prompted external CSIRTs and national CERTs to issue warnings urging immediate patching, citing the potential for exploitation if the bugs are chained with other local weaknesses.
Community discussions have already raised concerns about the completeness of some fixes, with at least one public thread questioning whether the CVE‑2026‑29205 patch fully addresses the underlying flaw and highlighting continued testing by security researchers.
For defenders, this underscores the importance of not only applying vendor updates but also tracking follow‑up advisories and regression fixes over the coming days. While not part of the May 13 bundle, CVE‑2026‑41940 remains central to the context for why the cPanel ecosystem is under heightened scrutiny.
This authentication bypass bug in cPanel & WHM’s session loading logic was disclosed on April 28 with a CVSS score of 9.8, after being exploited as a zero‑day since at least February 23, 2026, to deploy Mirai variants and a ransomware strain dubbed “Sorry.”
Researchers showed that upon a failed login, cPanel would write a pre‑authentication session file to disk; by injecting specific characters via the Authorization header and manipulating cookies, an attacker could force attacker‑controlled credentials into that file and reload it to gain authenticated access.
This zero‑day affected all currently supported cPanel & WHM versions until patched builds (such as 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5) were released.
The combined effect of CVE‑2026‑32993, CVE‑2026‑32992, the 2920x cluster, and CVE‑2026‑41940 represents a significant expansion of attack surface on shared hosting and managed WordPress platforms built on cPanel.
From a threat‑model perspective, attackers can target unauthenticated endpoints for header injection, abuse weakened SSL checks in DNS clusters, exploit local feature and plugin APIs, and, in some cases, bypass authentication entirely to seize control of management planes.
Because cPanel powers a large fraction of internet‑facing websites, and Shodan scans have surfaced roughly 1.5 million internet‑accessible instances, even a small percentage of unpatched systems could translate into large‑scale compromise campaigns.
For tenants, that risk materializes as website defacement, credential theft, email abuse (spam and phishing), DNS hijacking, and deployment of botnet or ransomware payloads across shared infrastructure.
Patch and Mitigation
cPanel strongly recommends upgrading to the latest fixed builds across all branches, including specific patched tracks like 11.94.0.30, 11.86.0.43, and WP Squared 136.1.7 or later, as well as newer 11.110.x, 11.118.x, 11.126.x, 11.132.x, 11.134.x, and 11.136.x releases where the relevant CVEs are addressed.
National advisories echo this message, explicitly listing vulnerable version ranges (for example, 11.136.0.8 and lower, 11.134.0.24 and lower, 11.132.0.30 and lower, and 11.130.0.21 and lower) and urging immediate patching.
Beyond patching, administrators should enforce strict TLS verification in DNS clusters, disable or tightly control unneeded plugins and feature files, monitor for suspicious symlink activity, and audit cpsrvd and WHM access logs for anomalies around unauthenticated endpoints.
Hosting providers are also advised to temporarily restrict access to WHM/cPanel ports from the public internet, using VPNs or management bastions to reduce attack surface while patching is in progress.
FAQ
Q1. Which cPanel versions are affected by these May 2026 vulnerabilities?
Most supported cPanel & WHM branches from 86 through 136, including certain CloudLinux and WP2 builds, are affected and require updates to the latest patched releases.
Q2. Have any of the cPanel vulnerabilities been exploited as a zero‑day?
Yes, CVE‑2026‑41940 was exploited as a zero‑day authentication bypass from at least February 2026 to deploy botnet and ransomware payloads before disclosure.
Q3. How critical is CVE‑2026‑32992 in the DNS Cluster system?
CVE‑2026‑32992 is high‑risk because weak SSL verification in DNS clusters can enable man‑in‑the‑middle attacks and credential theft across synchronized DNS infrastructure.
Q4. What should administrators do immediately to mitigate these issues?
Administrators should upgrade to the latest cPanel & WHM builds, enforce proper TLS verification, restrict management access, and monitor for suspicious activity in cpsrvd, WHM, and DNS cluster logs.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
