CVE-2026-41940: Critical cPanel Authentication Bypass Risks Hosting Security
A newly identified security vulnerability, designated as CVE-2026-41940, has emerged as a significant threat within the web hosting community, particularly affecting systems utilizing cPanel and WebHost Manager (WHM). This flaw, categorized as an authentication bypass vulnerability, compromises multiple authentication pathways, potentially enabling unauthorized access to sensitive control panel environments.
The vulnerability was officially recognized in a security advisory released on April 28, 2026, with subsequent updates, the latest being on April 29, 2026, at 02:46 PM CST. The advisory, titled “Security: CVE-2026-41940 – cPanel & WHM / WP2 Security Update 04/28/2026,” details the scope, impact, and mitigation strategies related to this issue.
According to the advisory, the root cause of the vulnerability lies in an authentication bypass flaw affecting cPanel software, including DNSOnly installations, across all versions released after 11.40. Initially lacking an official identifier, this issue is now widely recognized as CVE-2026-41940.
Affected Versions and Patch Releases
The vulnerability impacts all currently supported versions of cPanel and WHM. To mitigate the risks associated with this flaw, patches have been released for the following versions:
- 11.86.0.41
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.130.0.19
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
Additionally, WP Squared version 136.1.7 has also received a corresponding fix. The advisory emphasizes that administrators should promptly update their systems using the standard update script:
/scripts/upcp –force
Once the update is completed, it is essential to verify the installed version and restart the cPanel service (cpsrvd) to ensure the patch is effectively applied.
Immediate Mitigation Steps for CVE-2026-41940
For environments where immediate updates cannot be executed, temporary mitigation strategies have been recommended. These include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall level or disabling critical services such as cpsrvd and cpdavd.
Administrators are cautioned that systems with disabled automatic updates or those pinned to specific versions will not receive patches automatically. These systems must be manually updated as a priority to address the authentication bypass risk posed by CVE-2026-41940.
Detection Script and Indicators of Compromise
To aid administrators in identifying potential exploitation attempts, a detection script has been provided. This script scans session files located in /var/cpanel/sessions for indicators of compromise (IOCs). Key detection mechanisms include:
- Identification of session files containing both
token_deniedandcp_security_token, which strongly suggests exploitation attempts. - Detection of pre-authentication sessions containing authenticated attributes.
- Sessions marked with
tfa_verifiedbut lacking legitimate origin markers. - Multi-line password values, indicating possible session file corruption.
If the script detects suspicious activity, it generates warnings or critical alerts. In cases where compromise is confirmed, administrators are advised to:
- Purge all affected sessions.
- Force password resets for root and all WHM users.
- Audit system logs, such as
/var/log/wtmpand WHM access logs. - Investigate persistence mechanisms like cron jobs, SSH keys, or backdoors.
An example output included in the advisory demonstrates detection of an exploitation attempt originating from IP address 100.96.3.23, where an injected session token was identified alongside a failed authentication attempt.
Industry Response and Ongoing Monitoring
While cPanel has not disclosed detailed technical specifics about CVE-2026-41940, third-party hosting provider Namecheap confirmed that the issue involves an authentication login exploit that could allow unauthorized access to the control panel. As a precaution, Namecheap implemented firewall rules blocking TCP ports 2083 and 2087, temporarily restricting access to cPanel and WHM interfaces. The company stated that their team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available.
The provider also confirmed that patches had been deployed across Reseller and Stellar Business servers, with broader rollout ongoing.
Urgency Around Updating cPanel Systems
The advisory underscores that any server running an unsupported version of cPanel remains at risk from this authentication bypass security flaw. Administrators are strongly urged to upgrade to a supported and patched version as soon as possible.
“If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” the advisory notes.
For further details on this vulnerability and its implications, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
