Full Report
AL26-008 - Vulnerability affecting cPanel and WebHost Manager (WHM) - CVE-2026-41940
Analysis Summary
# Vulnerability: cPanel and WHM Missing Authentication for Administrative Interfaces
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** Not explicitly listed (Categorized as "Critical")
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** cPanel & WebHost Manager (WHM), WP squared
- **Versions:**
- cPanel & WHM versions prior to: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5
- WP squared versions prior to: 11.136.1.7
- **Configurations:** Systems running legacy or unsupported software versions are particularly at risk as they will not receive patches.
## Vulnerability Description
CVE-2026-41940 is a missing authentication vulnerability in the administrative interfaces of cPanel and WHM. The flaw allows an unauthenticated remote attacker to bypass security checks and access critical management functions. Because these interfaces control the underlying server environment, an attacker can gain unauthorized entry into administrative panels designed for server and website management.
## Exploitation
- **Status:** Exploitation is considered "highly probable" (per CCCS). Specific PoC availability is not confirmed in the text, but the flaw is being actively addressed by the vendor.
- **Complexity:** Low (Inferred from unauthenticated bypass nature)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to databases, email accounts, and administrative data)
- **Integrity:** High (Ability to modify server configurations and website content)
- **Availability:** High (Potential to take control of or disable thousands of downstream sites on shared hosting)
## Remediation
### Patches
Update cPanel & WHM to one of the following fixed versions:
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
- WP squared 11.136.1.7
### Workarounds
- **Network Restriction:** Restrict network access to cPanel/WHM interfaces using firewall IP allowlists to ensure only trusted IPs can reach the login portals.
- **Service Isolation:** Isolate web-facing applications to prevent lateral movement.
## Detection
- **Log Analysis:** Review authentication and access logs for suspicious login activity or unauthorized access attempts to administrative endpoints.
- **Version Auditing:** Manually confirm the installed version of cPanel/WHM via the command-line interface to ensure it meets the minimum patched version requirements.
## References
- cPanel Security Update: hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- CCCS Alert AL26-008: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/al26-008-vulnerability-affecting-cpanel-webhost-manager-whm-cve-2026-41940
- NVD Detail: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-41940