Full Report
Incident responders at Rapid7 said successful exploitation of CVE-2026-41940 “grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages.”
Analysis Summary
# Vulnerability: Critical Authentication Bypass in cPanel & WHM
## CVE Details
- **CVE ID**: CVE-2026-41940
- **CVSS Score**: 9.8 (Critical)
- **CWE**: Not explicitly listed (Technical descriptions imply Authentication Bypass)
## Affected Systems
- **Products**: cPanel & WHM (WebHost Manager)
- **Versions**: All versions prior to the April 28, 2026, security update.
- **Configurations**: Internet-exposed Linux-based web hosting servers running the cPanel suite.
## Vulnerability Description
CVE-2026-41940 is a critical high-severity flaw that allows for an authentication bypass. Successful exploitation grants an attacker full administrative control over the cPanel host system. This includes access to system configurations, internal databases, and all individual websites managed by the hosting instance. Experts describe the flaw as a "complete compromise" vector that leverages weaknesses in how the software validates identity.
## Exploitation
- **Status**: Exploited in the wild (Confirmed by CISA; evidence suggests activity since February 2026).
- **Complexity**: Low (Implied by rapid exploitation and "emergency brake" responses from major providers).
- **Attack Vector**: Network (Remotely exploitable over the internet).
- **PoC availability**: Tools for identifying vulnerable hosts have been released by watchTowr.
## Impact
- **Confidentiality**: High (Full access to all hosted data and databases).
- **Integrity**: High (Ability to manipulate website content and server configurations).
- **Availability**: High (Potential for complete service disruption and server takeover).
## Remediation
### Patches
- WebPros International released security updates for cPanel & WHM on **April 28, 2026**. Users must update to the latest available tier (Current, Stable, or LTS) provided by the vendor.
- **CISA Mandate**: Federal agencies are required to apply patches by **May 3, 2026**.
### Workarounds
- **Firewalling**: Restrict access to cPanel/WHM ports (typically 2083, 2087) to trusted IP addresses only.
- **Temporary Suspension**: Major hosting providers (Namecheap, HostPapa, etc.) have temporarily restricted user access to management interfaces to prevent exploitation while patching.
## Detection
- **Compromise Assessment Tool**: cPanel has released an official tool to help administrators determine if their specific instance has been breached.
- **Host Scanning**: watchTowr has released a tool to identify vulnerable hosts within an organization's network estate.
- **Log Analysis**: Monitor for unusual authentication patterns or unauthorized administrative changes dating back to February 2026.
## References
- **Vendor Advisory**: hxxps[://]support[.]cpanel[.]net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
- **CISA KEV Catalog**: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **watchTowr Labs Analysis**: hxxps[://]labs[.]watchtowr[.]com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- **Namecheap Status**: hxxps[://]www[.]namecheap[.]com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/