CVE-2026-41940: cPanel's 2-Month Zero-Day Authentication Bypass
On April 28, 2026, cPanel released an emergency security update for a flaw they assigned the CVE identifier CVE-2026-41940. It carries a CVSS score of 9.8 — Critical — and affects every supported version of cPanel and WebHost Manager (WHM).
That number doesn't communicate what makes this vulnerability worth a separate writeup. Three things do:
- It had been actively exploited as a zero-day since at least February 23, 2026 — over two months before cPanel published the advisory.
- It bypasses authentication entirely. No credentials needed, no user interaction, just a single crafted HTTP request.
- There are roughly 1.5 to 2 million cPanel instances exposed to the internet according to Shodan and Eye Security. Every one of them was vulnerable.
This is the kind of vulnerability ransomware operators describe as "ideal initial access". Whether or not we ultimately see ransomware campaigns publicly attributed to this CVE, the lessons it teaches matter for every business running anything more complex than a static site.
At a glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-41940 |
| CVSS v3.1 | 9.8 Critical · AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-306: Missing Authentication for Critical Function |
| First exploited in the wild | February 23, 2026 |
| Public disclosure | April 28, 2026 (≈ 2-month zero-day) |
| Affected | cPanel & WHM v11.40 onward; WP Squared up to 136.1.7 |
| Internet exposure | 1.5–2 million cPanel instances |
| CISA KEV listed | Yes |
What CVE-2026-41940 actually is
The bug is technically a CRLF injection — short for Carriage Return Line Feed injection — in the way cPanel handles its whostmgrsession cookie during login.
The exploitable chain looks roughly like this:
- The attacker triggers a deliberately failed login. cPanel issues a "preauth" session cookie in response.
- The attacker manipulates that cookie to remove the encryption portion, leaving only the session identifier.
- The attacker then sends a follow-up request with an HTTP Basic Authorization header containing carefully placed
\r\ncharacters in the password field. - Because encryption was disabled in step 2, those raw newline characters get written directly into the session file on disk — splitting the password value into multiple "fields" that look legitimate to cPanel.
- The attacker triggers a cache regeneration by sending a request with a deliberately invalid security token. cPanel rebuilds the session cache from the poisoned raw file.
- The session now contains forged properties:
hasroot=1,successful_internal_auth_with_timestamp,user=root. cPanel treats subsequent requests from this session as a legitimate authenticated root user.
The end result: full administrative control over the cPanel host, every customer account it manages, every database, every website. From there an attacker can install backdoors, exfiltrate credentials, pivot into customer infrastructure, or — yes — deploy ransomware.
Timeline — and what it tells us
Reconstructing the public timeline from cPanel, watchTowr Labs, Help Net Security, and the affected hosting providers:
- February 23, 2026 — Earliest confirmed in-the-wild exploitation observed by a managed cPanel host (KnownHost). Likely earlier than this in reality.
- Mid-April 2026 — A researcher reportedly disclosed the issue to cPanel approximately two weeks before the public advisory. cPanel's initial response was reportedly that there was no issue.
- April 28, 2026 — cPanel publishes TSR 40073787579671 and ships patched builds for all eight supported version tracks.
- April 28, 2026 (within hours) — Major hosting providers including Namecheap, KnownHost, HostPapa, InMotion, and hosting.com block cPanel/WHM/Webmail ports at the network edge until customer servers can be patched.
- April 29, 2026 — NVD publishes the canonical CVE record. The Canadian Centre for Cyber Security issues alert AL26-008. CISA adds the CVE to its Known Exploited Vulnerabilities catalog.
- April 30, 2026 — Detailed technical writeup published by watchTowr Labs. Several detection tools (Rapid7, Searchlight Cyber) ship signatures.
Two months between exploitation and disclosure is a long zero-day for a vulnerability this widely deployed. It also means anyone running cPanel needs to assume their server may have been touched, even if they patched the moment the advisory dropped.
Who's affected
If you run cPanel or WHM yourself, or if your hosting provider does, you're in scope. Specifically:
- cPanel & WHM, version 11.40 through the various patched builds listed below
- WP Squared, the managed WordPress hosting platform built on cPanel — versions up to 136.1.7
The affected port range covers everything cPanel exposes externally:
| Port | Service |
|---|---|
2082 / 2083 | cPanel HTTP / HTTPS |
2086 / 2087 | WHM HTTP / HTTPS |
2095 / 2096 | Webmail HTTP / HTTPS |
If any of these ports were reachable from the internet between roughly February 23 and April 28, 2026, the server was potentially vulnerable for that entire window.
What cPanel told customers to do
The official advisory includes three things:
1. Upgrade to the patched build for your release track
| Track | Patched version |
|---|---|
| 11.86.0 | 11.86.0.41 |
| 11.110.0 | 11.110.0.97 |
| 11.118.0 | 11.118.0.63 |
| 11.126.0 | 11.126.0.54 |
| 11.130.0 | 11.130.0.19 |
| 11.132.0 | 11.132.0.29 |
| 11.134.0 | 11.134.0.20 |
| 11.136.0 | 11.136.0.5 |
| WP Squared | 136.1.7 |
The standard upgrade path is /scripts/upcp or your control panel's equivalent. Servers with auto-updates enabled should already be patched — but a non-trivial number of cPanel instances do not have auto-update enabled.
2. Verify the build landed
/usr/local/cpanel/cpanel -VThe output should match one of the patched versions in the table above.
3. Restart cpsrvd
Flush in-memory session caches that may contain poisoned data:
/scripts/restartsrv_cpsrvdThe Canadian Centre for Cyber Security's AL26-008 advisory adds a fourth recommendation: restrict network access to cPanel/WHM interfaces with firewall IP allowlists until patched. If your control panel doesn't need to be reachable from arbitrary IPs, lock it down to your office or VPN range — not just for this CVE, but as a general principle.
How to check if you've already been compromised
Patching closes the door. It doesn't tell you whether someone walked through it during the previous two months.
The most reliable forensic indicators, drawn from watchTowr Labs' technical writeup:
- Raw session files containing literal
\r\nbyte sequences inside single field values. Look in/var/cpanel/sessions/raw/. Usegrep -laP '\r\n' /var/cpanel/sessions/raw/*to find candidates, then inspect withxxdto confirm. - Mismatched timestamps between raw and cache session files. A normal session has its cache file written shortly after the raw file. The poisoning chain forces cache regeneration via a token-denial trigger, so look for cache files modified several seconds after their corresponding raw file with no intervening user activity.
- Sessions containing
successful_internal_auth_with_timestampwithout a matching successful login event in cpsrvd's authentication log. The session claims a successful authentication that never actually happened. - Sessions with
hasroot=1originating from IP addresses that have never successfully authenticated before. The injection forges this flag. - cpsrvd access log entries showing unauthenticated requests to
/scripts2/*paths immediately following a failed Basic Auth attempt. That's the fingerprint of the cache-regeneration trigger step.
If any of those turn up, treat the server as compromised. Standard incident response applies: isolate, snapshot, rotate every credential the server had access to, audit every customer account it manages.
The bigger picture — why authentication bypass matters more than people realise
In the security community we sometimes split vulnerabilities into "remote code execution" (the dramatic ones) and "authentication bypass" (the unsexy ones). That split misleads.
A pure RCE in cPanel would have been front-page news for a week. CVE-2026-41940 is "merely" an authentication bypass — but the practical impact is identical. Once an attacker is authenticated as root inside cPanel, every code execution capability cPanel itself has becomes their code execution capability. The "additional step" they save by avoiding RCE is irrelevant.
This is why the Mitre ATT&CK framework lists Initial Access as a tactic in its own right, and why authentication bypasses on widely-deployed admin panels (cPanel, Plesk, WordPress, Confluence, ESXi) consistently rank among the highest-impact CVEs each year. The vulnerability isn't the impressive part. The doors it unlocks are.
For SMB site owners running on shared hosting, the lesson is harder still: most of you have no visibility into whether your hosting provider patched promptly. You can't ssh into a shared host and run cpanel -V. You're trusting the provider — and the only signal you'll get if they failed is when your customer database appears for sale on a leak forum.
What we look for at Obsyde
Real-time security monitoring catches what patches alone don't. The kind of post-exploitation activity that follows a CVE-2026-41940 compromise — credential exfiltration, lateral movement attempts, malware staging, customer-account modification — produces noisy network and filesystem signals that a layered monitoring system flags within seconds.
For our own infrastructure and the WordPress sites our Aegis customers protect, every request gets inspected against pattern-matching rules, cross-referenced against community threat intelligence (around 71,000 known-bad IPs across eight feeds), and evaluated for behavioural anomalies. CVE-2026-41940 itself is an authentication issue rather than a payload signature, so the value isn't in detecting the exploitation — it's in detecting the post-exploitation activity that follows.
If your environment is built on cPanel and you've patched, audit. If you can't audit, monitor. If you do neither, you're trusting that two months of zero-day exploitation didn't reach you — which is a lot to trust.
Conclusion
CVE-2026-41940 is the kind of vulnerability that quietly resets the assumed security baseline of a generation of websites. Two million cPanel instances, two months of unpatched exploitation, full root access to the host once exploited. The patch is now available and well-documented. The forensic checks above are not optional for anyone managing a vulnerable server — even after patching.
If you run cPanel:
- Patch tonight
- Verify the build with
/usr/local/cpanel/cpanel -V - Restart
cpsrvd - Run the IOC checks above
- Lock cPanel/WHM behind a VPN or IP allowlist if you don't need it publicly reachable
- Subscribe to your hosting provider's security mailing list — there will be another one of these
References
- CVE-2026-41940 — National Vulnerability Database
- cPanel TSR 40073787579671 (official advisory)
- watchTowr Labs technical writeup
- Rapid7 mitigation guidance
- Help Net Security — Exploitation timeline
- Canadian Centre for Cyber Security AL26-008
- The Hacker News coverage
- TechCrunch — active exploitation reporting
Related Insights
CVE-2026-8713: Avada Builder Flaw Lets Anyone Delete Your WordPress Files (1 Million Sites at Risk)
A critical CVSS 9.1 vulnerability in the Avada Builder WordPress plugin lets unauthenticated attackers delete arbitrary files — including wp-config.php — leading to full site takeover. Roughly one million sites were exposed before the patch in version 3.15.4. Here's how it works, who's affected, exactly how to fix it, and how to check whether your site has already been hit.
10 min read
WordPress Security in 2026: The CVEs Putting Sites at Risk — and the Managed Protection That Stops Them
The WordPress CVEs hitting sites in 2026 — Ninja Forms, cPanel and NGINX — and why handing your site to a managed security company beats chasing every vulnerability yourself.
7 min read
CVE-2026-42945: 18-Year-Old NGINX Rewrite Module Flaw Puts a Third of the Web at Risk
CVE-2026-42945 — NGINX Rift — is a CVSS 9.2 heap buffer overflow undetected for 18 years. Affects every NGINX from 2008 onwards. Patches, exploit trigger, what to do tonight.
6 min read