CVE-2026-41940: cPanel and WHM Authentication Bypass

What Is CVE-2026-41940?

CVE-2026-41940 is an authentication bypass vulnerability in cPanel and WHM (WebHost Manager) that allows unauthenticated remote attackers to gain full access to the hosting control panel. The flaw exists in the login flow and requires no credentials, no user interaction, and no special conditions to exploit. An attacker with network access to the cPanel or WHM port can bypass authentication entirely and take over the control panel.

cPanel is one of the most widely deployed web hosting management platforms. It runs on millions of servers worldwide, managing web hosting accounts, DNS, email, databases, and file systems. A full authentication bypass on cPanel means an attacker can create accounts, modify DNS records, access hosted databases, read email, deploy web shells, and pivot to any site hosted on the server.

The weakness is classified as CWE-306: Missing Authentication for Critical Function. The vulnerability also affects WP Squared (WordPress Squared), a cPanel WordPress management plugin.

How Serious Is It?

CVSS Score

NVD rates CVE-2026-41940 at 9.8 Critical (CVSS v3.1). The CNA (VulnCheck) provided both CVSS v3.1 (9.8) and CVSS v4.0 (9.3) scores. NVD adopted the v3.1 score as the primary assessment. Both the CNA and NVD agree on the severity.

The vector is the worst-case scenario for a web-facing application: network-accessible, low complexity, no privileges required, no user interaction. Impact is high across confidentiality, integrity, and availability. An attacker who bypasses cPanel authentication gains the same access as a root-level administrator on the hosting server.

Exploitation Probability

The EPSS score is 16.52%, placing CVE-2026-41940 in the 94.9th percentile. This means it has a higher predicted exploitation probability than 94.9% of all scored CVEs. For an authentication bypass in internet-facing software with a public exploit, this score reflects the high likelihood of mass exploitation.

Active Exploitation

CVE-2026-41940 is in the CISA Known Exploited Vulnerabilities catalog, added on April 30, 2026 with a 3-day remediation deadline (May 3, 2026). This is one of the shortest remediation windows CISA assigns, reflecting the severity and active exploitation.

CISA’s SSVC assessment:

• Exploitation: active (confirmed in-the-wild exploitation)
• Automatable: yes (no human interaction required to exploit at scale)
• Technical Impact: total (full system compromise)

A public exploit exists at watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py on GitHub. The exploit targets port 2087 (WHM) and chains four stages to reach root:

1. Pre-auth session minting. Creates a session base and generates an initial token.
2. CRLF injection. Injects a payload via cookie/header handling that triggers an HTTP 307 redirect, leaking a /cpsessXXXXXX session token.
3. Cache poisoning. Fires do_token_denied to propagate the minted token into the application cache, causing the server to treat it as authenticated.
4. Root access. The attacker now holds a valid WHM root session. From root WHM, remote code execution is trivial via built-in server management functions.

The entire chain is unauthenticated, network-accessible, and runs as a single Python script. The combination of active exploitation, full automatability, and a public RCE exploit makes this one of the highest-urgency CVEs of 2026.

Who Is Affected?

Three products from WebPros (the company behind cPanel) are affected: cPanel, WHM (WebHost Manager), and WP Squared (WordPress management plugin). The vulnerability exists in all versions from 11.40 onward.

Fixed versions by release branch:

WP Squared (WordPress Squared) is fixed in version 136.1.7.

If you use a managed hosting provider that runs cPanel (GoDaddy, Namecheap, HostGator, Bluehost, A2 Hosting, and many others), your provider is responsible for patching. Namecheap published a status update acknowledging the vulnerability and their patching timeline. Contact your hosting provider to confirm they have applied the update.

What Should You Do?

Patches and Updates

Update cPanel and WHM to the fixed version for your branch. The vendor advisory with patch instructions is at:

• cPanel/WHM Security Update - April 28, 2026
• cPanel Release Notes
• WP Squared Changelog

cPanel servers with automatic updates enabled may have already received the patch. Verify your version by logging into WHM and checking the version number in the sidebar, or run /usr/local/cpanel/cpanel -V from the command line.

Workarounds

No vendor-provided workarounds are available. The CISA KEV required action states: apply vendor mitigations or discontinue use if mitigations are unavailable.

As interim measures:

1. Restrict management ports. Block external access to ports 2082 (cPanel HTTP), 2083 (cPanel HTTPS), 2086 (WHM HTTP), and 2087 (WHM HTTPS) using firewall rules. Allow only trusted management IPs. This does not fix the vulnerability but removes the network path to the exploit.
2. Check for compromise. Review WHM access logs for unexpected /cpsessXXX session tokens from external IPs, anomalous do_token_denied requests (the cache poisoning step), and any /json-api/ calls from addresses that should not have WHM access.

Detection and Visibility

Check your cPanel version with /usr/local/cpanel/cpanel -V and compare it against the fix table above. If you manage cPanel servers across multiple environments, you need to know which ones are running vulnerable versions.

An asset inventory that pulls from your vulnerability scanner and configuration management tools surfaces which servers run cPanel and what version they are on. Koopic connects to your existing tools and identifies affected assets across your environment in minutes.

Timeline

References

• NVD: CVE-2026-41940
• MITRE: CVE-2026-41940
• CISA KEV: CVE-2026-41940
• cPanel Vendor Advisory
• VulnCheck Advisory
• watchTowr Exploit PoC (auth bypass to RCE)
• Namecheap Status Update