CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Under Active Exploitation
A critical authentication bypass vulnerability in cPanel & WHM (CVE-2026-41940, CVSS 9.8) is being actively exploited in the wild, granting unauthenticated attackers root-level access to over a million exposed servers.
On April 28, 2026, cPanel issued an emergency security update addressing a critical vulnerability in cPanel & WHM and WP Squared. The flaw, tracked as CVE-2026-41940 and carrying a CVSS score of 9.8, allows unauthenticated remote attackers to bypass authentication and gain full administrative control over affected systems. First-party vendor advisories are available for both cPanel & WHM and WP Squared.
The vulnerability stems from a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM. Before authentication occurs, the cPanel service daemon (`cpsrvd`) writes a new session file to disk. By manipulating the `whostmgrsession` cookie—specifically by omitting an expected segment of the cookie value—an attacker can avoid the encryption process normally applied to user-provided values. Injecting raw `\r\n` characters via a malicious Basic Authorization header allows the attacker to insert arbitrary properties, such as `user=root`, into the session file. After triggering a reload of the session from the file, the attacker gains administrator-level access for their token.
cPanel & WHM is widely used web hosting control panel software. WHM provides root-level server administration, while cPanel serves as the user-facing interface. Successful exploitation grants an attacker complete control over the host system, its configurations, databases, and all websites it manages. A naive Shodan Shodan query reveals approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.
Active exploitation in the wild has been confirmed. Managed cPanel host KnownHost reported that the vulnerability is being actively exploited, with speculation that targeted zero-day exploitation may have occurred as early as February 23, 2026—well before public disclosure. Security firm watchTowr has published a published a technical analysis and proof-of-concept exploit, making widespread exploitation imminent.
All versions of cPanel & WHM after 11.40 are affected. Fixed versions are available for multiple release branches, including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5. WP Squared users should upgrade to version 136.1.7. Organizations running on-premise instances should prioritize upgrading on an emergency basis. Some hosting providers have temporarily blocked TCP ports 2083 and 2087 as a workaround, but patching is strongly recommended.
Rapid7's Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2026-41940 with authenticated vulnerability checks available in the April 30, 2026 content release. Given the critical severity, active exploitation, and availability of a public proof-of-concept, defenders must act immediately to patch vulnerable systems.