A critical vulnerability, CVE-2026-41940, was identified in cPanel and WHM on April 28, 2026.
This vulnerability allows attackers to gain full administrator (root-level) access to affected servers without valid credentials. Because of its severity, CVE-2026-41940 is rated as a critical-level exploit.
Currently, the issue affects:
- All supported versions of cPanel and WHM after version 11.40.
- Related cPanel products, such as DNSOnly.
- WP Squared versions after 136.1.7.
Given how many hosting providers rely on cPanel and WHM, CVE-2026-41940 could impact millions of websites, databases, and email servers around the world.
Security patches were released on May 1, 2026, but evidence suggests attackers may have been actively exploiting the flaw as early as February 2026.
How to Protect Your Server?
If you manage a server with cPanel and WHM, you should act now to lower the risk of a security breach.
Note: If you use shared hosting and only have a regular cPanel account, your hosting company handles security patches. Contact them to make sure your server has been updated.
Update cPanel
The only way to fully fix CVE-2026-41940 is to update cPanel and WHM to a patched version. To install the latest security patch for your server:
1. Enter the following command to run the built-in cPanel update script:
/scripts/upcp --force2. When the update is complete, verify the installed cPanel version:
/usr/local/cpanel/cpanel -VMake sure the installed version matches the latest patched releases listed in the official cPanel advisory.
3. Restart the cpsrvd service to load all updated components into memory:
/scripts/restartsrv_cpsrvd --hardThe --hard option does a full restart of the cPanel service, not just a soft reload.
Limit Access to cPanel (Temporary Measure)
After the vulnerability became public, the number of attacks increased rapidly. Researchers observed over 44,000 IP addresses scanning the internet for vulnerable cPanel systems. Attackers focused on common cPanel and webmail ports, including:
| Port Number | Service |
|---|---|
| 2083 | cPanel SSL login |
| 2087 | WHM SSL login |
| 2095 | Webmail login |
| 2096 | Secure webmail login |
If you cannot update cPanel and WHM immediately, for example, because you are waiting for a maintenance window or testing updates in a production environment, temporarily limit access to these login services.
Only allow connections from trusted IP addresses, like your office, home network, or internal management networks.
Keep in mind that this is just a temporary emergency measure that reduces exposure. The server will remain vulnerable until you install a patched version of cPanel.
Check for Signs of Compromise
If your server used a vulnerable version of cPanel and WHM, assume attackers might have accessed it before the security patch was installed. Check for any signs of unauthorized activity or persistence mechanisms that attackers may have left behind.
Use the official cPanel forensic and detection tool to search for Indicators of Compromise (IoCs). The script and instructions are available on the cPanel CVE-2026-41940 security advisory page.
You should also manually inspect the server for signs of compromise:
- Delete old session files. Remove old session files to force all users to authenticate again and invalidate potentially malicious sessions.
- Check for unknown administrator accounts. Look for any new accounts, especially those with unusual privileges. Attackers often create administrator accounts and leave them unused so they can regain access later.
- Check the /root/.ssh/authorized_keys file. Attackers may have added their own SSH keys to maintain access without a password. Review SSH keys for admin, sudo, and hosting accounts with shell access, and remove any recent or unfamiliar keys.
- Review cron jobs. Attackers sometimes leave hidden cron jobs to reopen backdoors or download malware, even after you patch cPanel. Check both user and system cron jobs for any commands or scripts you do not recognize.
What is CVE-2026-41940?
CVE-2026-41940 is an authentication bypass vulnerability.
To gain administrative access to a server, users usually need valid login credentials, like a username and password. In some cases, they may also need to pass Multi-Factor Authentication (MFA). With this vulnerability, attackers can skip the normal authentication process entirely.
The issue exists inside the cPanel service called cpsrvd, which handles:
- Login requests
- User sessions
- Authentication checks
- Web access to cPanel and WHM
Because cpsrvd is a core cPanel service, CVE-2026-41940 can potentially expose the entire server.
How Does the Vulnerability Work?
When someone visits a cPanel login page, the server creates a temporary session file before the user successfully logs in. The file stores information such as the visitor's IP address, temporary authentication data, and security tokens.
Researchers found that specially crafted login requests containing hidden, malicious characters called CRLF characters (Carriage Return and Line Feed) could manipulate how cPanel handled login and session data.
Because the cpsrvd service failed to properly sanitize this input, malicious users were able to inject their own data directly into the session file.
They could fake administrator-level session values. When the server read the modified session file, it treated the connection as a fully authenticated administrator session.
As a result, the attacker never needed to authenticate, and the server mistakenly believed the unauthorized user had already logged in. After gaining access, the attacker could:
- Take control of servers.
- Deploy ransomware.
- Steal sensitive data.
- Create new unauthorized accounts.
- Infect shared hosting environments that may host hundreds or even thousands of websites.
- Try to set up long-term access to compromised systems.
With this exploit, attackers do not need to steal passwords or run brute-force attacks; they get full administrative access by skipping the entire authentication process.
Long-Term Security Recommendations
After patching cPanel and WHM, consider the following recommendations to harden your systems and reduce the risk of future attacks.
Deploy a Web Application Firewall (WAF)
A Web Application Firewall (WAF) can filter malicious traffic before it reaches the server.
For example, in the case of CVE-2026-41940, a properly configured WAF may have helped reduce exposure by detecting and blocking suspicious CRLF patterns in HTTP headers.
While popular WAF solutions like Cloudflare and Imunify360 add an additional layer of protection and mitigate some exploit attempts, they should not be considered a replacement for regular security updates and patching.
Enable Automatic cPanel Updates
Even though some attackers may have been exploiting CVE-2026-41940 for months before it became public, the announcement triggered a much larger wave of attacks targeting servers that have not yet been patched.
Turning on automatic updates helps close the gap between when a security patch is released and when it is installed on your server. The chances that an attacker will exploit a known vulnerability before you apply an update manually will be much lower.
Whenever possible, keep cPanel and WHM on the Release or Stable update tier and make sure automatic updates for security patches are enabled.
Use Multi-Factor Authentication (MFA)
Multi-Factor Authentication adds another security layer on top of usernames and passwords. It is not as effective against bypass vulnerabilities such as CVE-2026-41940; however, it may help prevent follow-up attacks after an initial breach.
For example, if attackers use the exploit to steal credentials, create unauthorized accounts, or set up persistence for later access, MFA can make it harder for them to use stolen credentials again.
If you find evidence that a server has been compromised, it is a good idea to enable MFA for all administrator accounts as part of the hardening and recovery process.
Conclusion
A single flaw in how cPanel and WHM processed login data allowed attackers to bypass authentication and gain administrator access to servers worldwide.
As more websites and hosting platforms rely on the same centralized infrastructure and management tools, exploits like this could have an even bigger impact in the future.
To stay ahead of these threats, keep your systems updated, limit administrative access to as few users as possible, and use several layers of security instead of relying on a single protection mechanism.
