Critical cPanel Authentication Bypass CVE-2026-41940 Under Active Zero-Day Exploitation
cPanel has released emergency patches for CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WHM with a CVSS score of 9.8, which is being actively exploited in the wild as a zero-day for at least 30 days.
cPanel has released emergency security updates to address CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM) that carries a CVSS score of 9.8 out of 10.0. The flaw allows unauthenticated remote attackers to gain unauthorized access to the control panel, and reports indicate active zero-day exploitation in-the-wild exploitation for at least 30 days prior to disclosure.
The vulnerability affects all currently supported versions of cPanel and WHM prior to the patched builds, which include versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5 and higher. According to an advisory details from cPanel and the issue stems from an authentication bypass in the login flow that allows attackers to manipulate session files and gain administrative access.
Technical analysis from watchTowr Labs and Rapid7 revealed that CVE-2026-41940 is caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes. Before authentication occurs, the cPanel service daemon `cpsrvd` writes a new session file to disk. Attackers can inject raw `\r\n` characters via a malicious basic authorization header, causing the system to write arbitrary properties—such as `user=root`—into the session file without sanitization. After triggering a session reload, the attacker gains administrator-level access.
The impact is severe because WHM grants root administrative access to the entire server. As security firm Hadrian noted, "Compromise of cPanel is materially different from the compromise of a single customer website. WHM grants root administrative access to the server. An attacker with this access can read every customer hosting account, modify files and databases, create backdoor accounts, install malware, steal credentials, and pivot into customer networks."
In response, major hosting providers including Namecheap, KnownHost, HostPapa, InMotion, and others have taken emergency measures. Namecheap temporarily blocked TCP ports 2083 and 2087 at the firewall, restricting customer access to cPanel and WHM interfaces until patches could be applied. KnownHost CEO Daniel Pearson confirmed the vulnerability has been actively exploited for at least 30 days. cPanel has also released a detection script to identify indicators of compromise, including sessions with both `token_denied` and `cp_security_token` with `method=badpass` origin, pre-authenticated sessions with authenticated attributes, sessions with `tfa_verified` but no valid origin, and password fields containing newlines.
cPanel has urged customers to update immediately using the update script (`/scripts/upcp --force`) and to verify the build version. As interim mitigations, the company recommends blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall, or stopping `cpsrvd` and `cpdavd` services. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by a specified deadline.
Eye Security identified over 2 million cPanel instances connected to the internet, though it remains unknown how many have auto-update enabled and remain vulnerable. watchTowr CEO Benjamin Harris emphasized the severity: "Let's call this what it is: an unauthenticated authentication bypass in cPanel and WHM, a management-plane solution deployed on tens of thousands of servers and sitting in front of a meaningful chunk of the internet." The incident underscores the critical risk posed by vulnerabilities in widely deployed server management platforms.