Critical cPanel Authentication Bypass CVE-2026-41940 Under Active Exploitation
A critical authentication-bypass vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is being actively exploited in the wild, allowing attackers to gain administrative access without credentials.
Security researchers are warning about a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM). This is a critical, actively exploited authentication-bypass bug in cPanel/WHM that lets attackers gain administrative access to the interface without credentials, potentially taking over servers and all hosted sites.
The vulnerability, tracked as CVE-2026-41940, has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA), meaning there is evidence it is being used in real-world attacks. Because cPanel/WHM is used by over a million sites worldwide, including banks and health organizations, the potential impact is huge. In simple terms, the bug can act like a front‑door key to a big chunk of the web’s hosting infrastructure.
cPanel released patches on April 28, 2026, and urged all customers and hosts to update. It said all supported versions after 11.40 are affected, including DNSOnly and WP Squared. Hosting providers including Namecheap, HostGator, and KnownHost temporarily blocked access to cPanel interfaces while patching, treating this as a critical authentication bypass and reporting exploit attempts going back to late February 2026.
The technical mechanism of the flaw allows an unauthenticated attacker to bypass authentication checks and gain full administrative access to the cPanel or WHM interface. Once inside, an attacker can modify server configurations, access databases, install malware, and pivot to other systems on the network. The ease of exploitation and the widespread deployment of cPanel make this a particularly dangerous vulnerability.
CISA's inclusion of CVE-2026-41940 in its Known Exploited Vulnerabilities catalog underscores the urgency of patching. Federal agencies are required to apply the fix by a specified deadline, and private organizations are strongly encouraged to follow suit. The agency has not yet disclosed specific details about the threat actors exploiting the flaw, but the active exploitation suggests that multiple groups may be involved.
For website owners and hosting providers, the immediate step is to apply the patches released by cPanel. If patching is not immediately possible, administrators should restrict access to the cPanel and WHM interfaces to trusted IP addresses only, and monitor for signs of compromise. Users of affected hosting services should be vigilant for unusual activity on their accounts.
This vulnerability highlights the risks associated with widely deployed server management software. As hosting infrastructure becomes an increasingly attractive target for attackers, the security of tools like cPanel is paramount. The active exploitation of CVE-2026-41940 serves as a reminder that even mature software can harbor critical flaws that require immediate attention.