A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel, a popular web-based control panel for managing web hosting accounts, is being exploited by attackers in the wild.
What’s more, attackers didn’t have to wait for watchTowr security researchers to release technical details about the vulnerability – they have been spotted exploiting CVE-2026-41940 since February 23, and have likely been abusing it even earlier.
About CVE-2026-41940
CPanel, typically provided by shared hosting companies, is one of the most widely used hosting control panels. WHM (Web Host Manager) is used by hosting providers use to manage multiple cPanel accounts on a server.
CVE-2026-41940 stems from missing authentication for a critical function, and allows unauthenticated remote attackers to gain unauthorized access to the control panel.
“Before authentication occurs, cpsrvd (the cPanel service daemon) writes a new session file to the disk. The vulnerability allows an attacker to manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value,” Rapid7 researcher Ryan Emmons explained.
“Attackers can inject raw \r\n characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as user=root, into their session file. After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token.”
In-the-wild exploitation and vulnerability disclosure
WebPros International L.L.C., the firm that develops cPanel, published a security advisory for CVE-2026-41940 on April 28, and released security updates a few hours later.
According to Daniel Pearson, the CEO of managed hosting provider KnownHost, they were notified of this around the same time. They immediately began blocking WHM/cPanel login ports across the KnownHost network, and then started implementing the security updates.
Other hosting providers did the same.
The disclosure timeline for CVE-2026-41940 is a bit murky. According to a webhosting.today source, the vulnerability “had been reported to cPanel approximately two weeks before the April 28 public advisory, and (…) cPanel’s initial response was that nothing was wrong.”
Whether the reporter knew about the in-the-wild exploitation is unclear. It’s also unclear why WebPros did not communicate the existence of such a critical vulnerability to hosting providers sooner and provided mitigation steps while they were working on fixes.
What to do?
CVE-2026-41940 affects all cPanel and WHM versions after v11.40, and v136.1.7 of WP Squared, a managed WordPress hosting platform built on top of cPanel.
“Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages,” Rapid7’s Emmons noted, and added that Shodan shows approximately 1.5 million cPanel instances exposed to the internet (though it’s unknown how many of those are vulnerable).
The security advisory counsels updating to a patched cPanel version, verifying the cPanel build version, and restarting the cPanel service (cpsrvd).
Mitigations include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall and stopping the cpsrvd and cpdavd services.
The company has also provided a script for customers to search for known indicators of compromise.
“At least on our network and the cases I’ve reviewed, any exploit has amounted to ‘let me see if this works’ and then no other changes/attempts past that,” Pearson told customers.
“After a thorough review we’ll reach out to anyone impacted directly, but again I’ve seen no signs of any active compromise, injected payload or anything other than confirming access.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
