Full Report
A newly disclosed security issue, tracked as CVE-2026-41940, has raised significant concerns across the web hosting ecosystem, particularly for systems running cPanel and WebHost Manager (WHM). The flaw, described as an authentication bypass security vulnerability, affects multiple authentication pathways and could potentially allow unauthorized users to gain access to sensitive control panel environments. The vulnerability was formally acknowledged in a security advisory published on April 28, 2026, and later updated several times, with the most recent revision on April 29, 2026, at 02:46 PM CST. The advisory, titled “Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026,” outlines the scope, impact, and mitigation steps associated with the issue. According to the advisory, the root cause lies in an authentication bypass security flaw affecting cPanel software, including DNSOnly installations, across all versions released after 11.40. While initially lacking an official identifier, the issue is now widely referenced as CVE-2026-41940. Affected Versions and Patch Releases The vulnerability impacts all currently supported versions of cPanel and WHM. To address the issue, patches have been released for the following versions: 11.86.0.41 11.110.0.97 11.118.0.63 11.126.0.54 11.130.0.19 11.132.0.29 11.134.0.20 11.136.0.5 Additionally, WP Squared version 136.1.7 has also received a corresponding fix. The advisory stresses that administrators should immediately update their systems using the standard update script: /scripts/upcp --force Once the update is complete, verification of the installed version and restarting the cPanel service (cpsrvd) is required to ensure the patch is properly applied. Immediate Mitigation Steps for CVE-2026-41940 For environments where updates cannot be applied right away, temporary mitigations have been recommended. These include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall level, or disabling key services such as cpsrvd and cpdavd. Administrators are also warned that systems with disabled automatic updates or pinned to specific versions will not receive patches automatically. These systems must be manually updated as a priority to mitigate the authentication bypass security risk posed by CVE-2026-41940. Detection Script and Indicators of Compromise To assist administrators in identifying potential exploitation attempts, a detection script has been provided. The script scans session files located in /var/cpanel/sessions for indicators of compromise (IOCs). Key detection mechanisms include: Identification of session files containing both token_denied and cp_security_token, which strongly suggests exploitation attempts. Detection of pre-authentication sessions containing authenticated attributes. Sessions marked with tfa_verified but lacking legitimate origin markers. Multi-line password values, indicating possible session file corruption. If the script detects suspicious activity, it outputs warnings or critical alerts. In cases where compromise is confirmed, administrators are instructed to: Purge all affected sessions Force password resets for root and all WHM users Audit system logs, such as /var/log/wtmp and WHM access logs Investigate persistence mechanisms like cron jobs, SSH keys, or backdoors An example output included in the advisory demonstrates detection of an exploitation attempt originating from IP address 100.96.3.23, where an injected session token was identified alongside a failed authentication attempt. Industry Response and Ongoing Monitoring Although cPanel has not disclosed detailed technical specifics about CVE-2026-41940, third-party hosting provider Namecheap confirmed that the issue involves “an authentication login exploit that could allow unauthorized access to the control panel.” As a precaution, Namecheap implemented firewall rules blocking TCP ports 2083 and 2087, temporarily restricting access to cPanel and WHM interfaces. The company stated, “Our team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available.” The provider also confirmed that patches had been deployed across Reseller and Stellar Business servers, with broader rollout ongoing. Urgency Around Updating cPanel Systems The advisory emphasizes that any server running an unsupported version of cPanel remains at risk from this authentication bypass security flaw. Administrators are strongly urged to upgrade to a supported and patched version as soon as possible. “If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” the advisory notes.
Analysis Summary
# Vulnerability: cPanel & WHM Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-41940
- **CVSS Score:** Not explicitly listed (Severity: Critical/High based on authentication bypass nature)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** cPanel & WHM, cPanel DNSOnly, WP Squared
- **Versions:**
- All cPanel/WHM versions released after 11.40.
- All currently supported versions are impacted until patched.
- **Configurations:** Systems with automatic updates disabled or pinned to specific legacy versions are at maximum risk.
## Vulnerability Description
CVE-2026-41940 is an authentication bypass vulnerability affecting multiple authentication pathways within the cPanel & WHM software. The flaw allows unauthorized users to bypass standard login requirements to gain access to sensitive control panel environments and management interfaces. The root cause involves an logic error in how session tokens and authentication attributes are validated within the `cpsrvd` (cPanel service) daemon.
## Exploitation
- **Status:** Exploited in the wild (Third-party providers like Namecheap have confirmed active login exploits; detection scripts look for specific Indicators of Compromise).
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Critical (Access to sensitive hosting environments and user data)
- **Integrity:** Critical (Unauthorized modification of server configurations and account settings)
- **Availability:** High (Potential for service disruption or account lockout)
## Remediation
### Patches
Update to the following versions or higher as of April 28, 2026:
- **cPanel & WHM:** 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5
- **WP Squared:** 136.1.7
**Update Command:**
`usr/local/cpanel/scripts/upcp --force`
*Note: Restart `cpsrvd` after patching.*
### Workarounds
If patching is not immediate:
- Block inbound traffic on TCP ports **2083, 2087, 2095, and 2096** at the firewall level.
- Disable `cpsrvd` and `cpdavd` services.
## Detection
### Indicators of Compromise (IOCs)
- Session files in `/var/cpanel/sessions` containing both `token_denied` and `cp_security_token`.
- Pre-authentication sessions found with authenticated attributes already present.
- Sessions marked `tfa_verified` (Two-Factor Authentication) but lacking a legitimate origin marker.
- Multi-line password values in session files (indicates session corruption/injection).
- Log entries from suspicious IPs (e.g., 100.96.3.23) showing injected session tokens.
### Detection methods and tools
- Run the official cPanel detection script to scan `/var/cpanel/sessions`.
- Audit `/var/log/wtmp` and WHM access logs for unauthorized logins.
- Inspect system for persistence: check cron jobs, new SSH keys, and web backdoors.
## References
- Vendor Advisory: Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update
- Namecheap Security Update: hxxps[://]thecyberexpress[.]com/cpanel-cve-2026-41940-auth-bypass/
- cPanel Scripts: hxxp[://]thecyberexpress[.]com/firewall-daily/vulnerabilities/