What Happened?
A dangerously simple authentication bypass vulnerability has been discovered in cPanel & WHM, the control panel software powering millions of web hosting servers worldwide. Security researchers have confirmed that unauthenticated attackers can remotely gain full administrative control over vulnerable servers without ever needing a username or password.
The vulnerability, officially indexed as CVE-2026-41940, resides in how the software processes session management requests. By inserting carefully crafted newline characters into authentication calls, attackers can effectively fool the system into granting them root-level privileges.
The Worst Part: It’s Already Being Exploited
Here’s what makes this alert urgent — this wasn’t a quiet discovery. Threat actors have been actively exploiting this flaw since late February 2026, nearly two full months before the public received any warning. Security firms have observed automated scanning campaigns attempting to identify exposed cPanel installations across the internet.
Proof-of-concept exploit code has since been released publicly, meaning even low-skilled attackers can now compromise unpatched servers with minimal effort.
Who Is Affected?
If you are running any of the following cPanel & WHM versions, your server is vulnerable:
If you are running any of the following cPanel & WHM versions, your server is vulnerable:
| Version Branch | Minimum Safe Version |
|---|---|
| 11.86 | 11.86.0.41 |
| 11.110 | 11.110.0.97 |
| 11.118 | 11.118.0.63 |
| 11.126 | 11.126.0.54 |
| 11.130 | 11.130.0.19 |
| 11.132 | 11.132.0.29 |
| 11.134 | 11.134.0.20 |
What Attackers Can Do After Exploitation
Once an attacker successfully triggers this vulnerability, they gain unfiltered access to the WebHost Manager interface with full root capabilities. From there, they can:
- View and modify every website hosted on the server
- Extract all customer databases and email accounts
- Install backdoors, cryptocurrency miners, or ransomware
- Use the compromised server as a launchpad to attack other systems
- Disable security software and erase audit logs to cover their tracks
For shared hosting providers, the damage multiplies — a single compromised server can expose thousands of individual customers simultaneously.
Your Action Plan — Do This Today
Step One: Patch Immediately
Log into your server via SSH and run:
/scripts/upcp --force
After completion, restart cPanel services and verify your version matches the safe releases listed above.
Step Two: If You Cannot Patch Right Away
Configure your firewall to block external access to these critical ports. Allow connections only from your trusted IP addresses:
- 2082 and 2083 (cPanel HTTP/HTTPS)
- 2086 and 2087 (WHM HTTP/HTTPS)
- 2095 and 2096 (Webmail)
Be aware: Some researchers have suggested the vulnerability might also be reachable through standard port 443 via proxy configurations. Firewalling the management ports reduces risk but is not a complete solution.
Step Three: Check for Signs of Breach
cPanel has released an official detection script. Run it to scan session files located in /var/cpanel/sessions/. Watch for these suspicious indicators:
- Session files showing both “token denied” errors and valid security tokens together
- Session records from unauthenticated users that contain authenticated user attributes
- Any session showing two-factor verification without proper origin validation
Step Four: If You Discover Evidence of Compromise
Take these actions immediately:
-
Clear all active session files from
/var/cpanel/sessions/ -
Force password changes for root and all WHM user accounts
-
Review system cron jobs, SSH authorized keys, and startup scripts for persistence mechanisms
-
Examine
/var/log/wtmpand WHM access logs for unknown IP addresses
How Widespread Is the Risk?
Internet scanning platforms reveal a sobering reality. Shodan shows approximately 1.5 million cPanel instances publicly accessible. Censys returns over 1.1 million unique hosts and more than 6.7 million associated web properties.
The good news? A small number of large hosting providers — including GoDaddy, Bluehost, Oracle Cloud, OVH, and Liquid Web — manage nearly half of all exposed cPanel servers. Their patching speed will significantly influence the overall threat landscape.
What Security Companies Are Doing
Major players have already responded:
- Cloudflare deployed an emergency Web Application Firewall rule specifically targeting exploitation attempts
- Assetnote released a high-accuracy scanner that avoids account lockout mechanisms
- WatchTowr published detection tools and verification scripts on GitHub
Final Warning
This is not a theoretical vulnerability. It has a CVSS base score of 9.8 out of 10 — classified as Critical. Active exploitation is confirmed. Public exploit code is available. Every hour your server remains unpatched increases the probability of compromise.
Do not wait for a scheduled maintenance window. Patch now.
