CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM with a CVSS score of 9.8. It allows unauthenticated remote attackers to gain root-level administrative access to affected servers without any credentials. The flaw exists in how cPanel handles session files during the login process, and it affects all supported versions of cPanel and WHM from v11.40 onwards.
Exploitation in the wild began in February 2026, two months before the patch was released on 28 April 2026. Patched versions are available across all release tracks. Server administrators must update immediately and run cPanel’s compromise detection script to check whether the server was breached prior to patching.
This is not a routine security notice. A critical vulnerability has been identified affecting all supported versions of cPanel and WHM (Web Host Manager), and it is being actively exploited right now. Tracked as CVE-2026-41940, this is a zero-day flaw, meaning attackers were abusing it months before a patch even existed. Evidence suggests exploitation began as early as February 2026, a full two months before the patch was released on 28 April 2026.
If your server runs cPanel or WHM and you have not yet patched, your server should be considered at risk. Stop what you are doing and work through the steps below.
What Is This Vulnerability?
In plain terms, this vulnerability allows an attacker to log in to your cPanel or WHM control panel without a username or password. It is classified as an authentication bypass, one of the most severe categories of security flaw that exists, and it carries a near-perfect CVSS severity score of 9.8 out of 10.
To understand why this is so serious, here’s a quick primer on what these control panels do:
- WHM (Web Host Manager) is the root-level administrative interface. It gives whoever accesses it complete control over the entire server: SSL certificates, user accounts, security settings, firewall rules, and everything in between.
- cPanel is the user-facing control panel for individual hosting accounts, managing websites, email, databases, and files.
This vulnerability affects both. If exploited, an attacker gains the equivalent of a master key to your server and every account on it.
How does the attack work?
The flaw exists in how cPanel handles login sessions. Before authentication even takes place, the cPanel service daemon (cpsrvd) writes a session file to disk. By manipulating a specific browser cookie (the whostmgrsession cookie), an attacker can inject malicious data into that session file, bypassing the encryption that would normally prevent this. This means the attacker’s session is written to disk with user=root baked in, granting them full administrative access without ever knowing a password.
This does not require sophisticated tools or insider knowledge. Proof-of-concept exploit code has already been published publicly by security researchers, meaning the barrier to attack is extremely low.
Who is affected?
All cPanel & WHM versions from v11.40 onwards are vulnerable, as well as WP Squared (a managed WordPress hosting platform built on cPanel) prior to version 136.1.7. This covers the overwhelming majority of servers running cPanel worldwide. If you are not on a patched version, you are exposed.
What Are the Risks If You Don’t Patch?
The consequences of a successful exploit are severe. An attacker with access to WHM has the same level of control as a legitimate server administrator. That means they could:
- Take full administrative control of your server
- Access, exfiltrate, modify, or permanently delete all hosted websites, databases, and email accounts
- Install malware, backdoors, or ransomware
- On shared hosting environments, compromise every single website and account hosted on that server, not just your own
This is not theoretical. Exploitation is already happening. Every hour without a patch is an hour of unnecessary exposure.
What You Need to Do
Step 1 – Check Your Version
You must be running one of the following patched versions to be safe:
| Release Track | Patched Version |
|---|---|
| 11.86 | 11.86.0.41 |
| 11.110 | 11.110.0.97 |
| 11.118 | 11.118.0.63 |
| 11.126 | 11.126.0.54 |
| 11.130 | 11.130.0.19 |
| 11.132 | 11.132.0.29 |
| 11.134 | 11.134.0.20 |
| 11.136 | 11.136.0.5 |
To check your version via WHM:
Log in to WHM as the root user and look at the cPanel Version number displayed in the top grey banner.
To check your version via SSH:
Log in to your server and run:
/usr/local/cpanel/cpanel -VIf your version is lower than the patched version for your release track, your server is vulnerable and you must update immediately.
Step 2 – Update cPanel
Before updating, we strongly recommend taking a full backup of your server. cPanel updates are generally straightforward, but having a recent backup means you have a restore point if anything goes wrong during the process. You can create a backup via WHM under Backup >> Backup Configuration, or via your existing backup solution if you have one in place.
Given the severity of this vulnerability, do not let taking a backup delay you significantly. If you are short on time, proceed with the update and schedule a full backup immediately afterwards.
Option A: Update via the WHM Interface (Recommended)
This is the simplest method and suitable for most users.
- Log in to your WHM control panel as the root user.
- Navigate to cPanel >> Upgrade to Latest Version (or type Upgrade to Latest Version in the search bar).
- Start the upgrade process and wait for it to complete.
- Once finished, confirm the update was successful by checking the cPanel Version number in the top banner of WHM.
Option B: Update via SSH (Advanced)
For those comfortable with the command line:
- Log in to your server via SSH as the root user.
- Confirm your current version:
/usr/local/cpanel/cpanel -V- If the version is vulnerable, run the update script:
/scripts/upcp- Wait for the update to complete.
- Confirm you are now on a patched version:
/usr/local/cpanel/cpanel -VStep 3 – Check for Signs of Compromise
Patching closes the door, but it does not undo damage that may have already been done. Given that this vulnerability was being actively exploited for months before the patch was released, you cannot assume your server is clean simply because you’ve updated it.
Once patched, you must run the detection script provided by cPanel to check whether a compromise has already occurred. Instructions for this are in the official cPanel security advisory.
Do not skip this step. If the detection script identifies any indicators of compromise, treat your server as breached and escalate immediately.
Summary
| What | CVE-2026-41940: Authentication Bypass in cPanel & WHM |
|---|---|
| Severity | Critical (CVSS 9.8) |
| Affected | All cPanel/WHM versions from v11.40; WP Squared < 136.1.7 |
| Risk | Full server takeover without credentials |
| Status | Actively exploited in the wild since at least February 2026 |
| Fix | Update to a patched version immediately |
There is no workaround for this vulnerability. The only fix is to patch.
If you are a CWCS customer on a managed server and want to know more, contact our support team. For unmanaged servers, follow the steps above without delay. If you have any doubt about your exposure, get in touch.
Official cPanel Advisory: https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026Share
