Secure Cyber Vulnerability Management

01/05/2026
Qualys-Threat-Protect

cPanel and WHM Authentication Bypass Vulnerability Exploited in the Wild (CVE-2026-41940)

by Deepanshu Jha

Security researchers have identified a critical severity vulnerability impacting cPanel and WHM (Web Host Manager). Tracked as CVE-2026-41940, the vulnerability is being actively exploited in the wild. Successful exploitation of the vulnerability may allow an attacker to take control over the cPanel host system, its configurations and databases, and the websites it manages.

cPanel and WHM are popular, integrated Linux-based web hosting control panels. cPanel is the user-facing interface for managing individual websites (emails, files, databases), while WHM is the backend administrator tool for managing server-level configurations, resellers, and multiple cPanel accounts. Together, they automate hosting management.

Both products are among the most widely deployed hosting control panels, popular with many hosting providers for their standardized interfaces, ease of use for non-technical users, and deep integration with common hosting stacks.

A quick search revealed more than 17,700 publicly available targets on Fofa at the time of writing.

Vulnerability Details

A security researcher at watchTowr Labs released a blog post describing the exploitation of CVE-2026-41940 in cPanel/WHM via a four-step chain, emphasizing session manipulation via CRLF injection and cache promotion.

Step 1: Mint Preauth Session

Trigger session creation with a failed login to /login/?login_only=1 using wrong credentials. This generates a cookie and writes a raw session file at /var/cpanel/sessions/raw/<session_id> with initial keys like needs_auth=1 and cp_security_token.

Step 2: CRLF Injection

Send a GET to/with the session cookie stripped of its <obhex> part and a crafted Authorization: Basic header. The base64-decoded payload in pass injects CRLF sequences, writing new top-level keys to the raw session file since no <ob> skips encoding and sanitization.

Step 3: Cache Promotion

Request a token-denied endpoint like /scripts2/listaccts without a cp_security_token and using the manipulated session cookie. This invokes Cpanel::Session::Modify::new (reads raw file directly due to nocache=1) followed by Modify::save, parsing injected lines as top-level keys and updating the JSON cache to reflect them.

Step 4: Bypass Password Check

Subsequent requests to authenticated endpoints load the promoted cache, setting globals like $successful_internal_auth_with_timestamp. This skips /etc/shadow validation in docheckpass_whostmgrd and check_authok_user, granting root access without credentials.

Affected versions

  • cPanel & WHM 11.110.0 versions before 11.110.0.97
  • cPanel & WHM 11.118.0 versions before 11.118.0.63
  • cPanel & WHM 11.126.0 versions before 11.126.0.54
  • cPanel & WHM 11.132.0 versions before 11.132.0.29
  • cPanel & WHM 11.134.0 versions before 11.134.0.20
  • cPanel & WHM 11.136.0 versions before 11.136.0.5
  • WP Squared 11.136.1 versions before 11.136.1.7

Mitigation

The vendor released the following cPanel & WHM versions to patch the vulnerability:

  • 11.86.0.41
  • 11.110.0.97
  • 11.118.0.63
  • 11.126.0.54
  • 11.130.0.19
  • 11.132.0.29
  • 11.136.0.5
  • 11.134.0.20

Users must upgrade to WP Squared version 136.1.7 to patch the vulnerability.

For more information, please refer to the Vendor Security Advisory.

Steps to mitigate

Here are the steps the vendor suggests to patch the vulnerability:

  1. Update the server to one of the patched versions immediately using the cPanel update script:
/scripts/upcp --force
  1. Once the update has been completed, verify and confirm the cPanel build version being returned and perform a restart of the cPanel service (cpsrvd):
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd
  1. If the user has disabled cPanel updates or pinned the cPanel update configuration to a specific version, then these will not auto-update. Users will have to identify and manually update these servers. Information on how to customize cPanel’s Update Preferences from the Command line is mentioned in the article: How to Customize cPanel’s Update Preferences from the Command Line.
  1. In cases where users cannot perform the above resolution, please apply one of the following mitigations:
  • Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall. Or,
  • Stop cpsrvd and cpdavd:
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd --stop

Qualys Detection

Qualys customers can scan their devices with QIDs 734113 and 734114 to detect vulnerable assets.

QID 734114 is for the customers with access to the ETM. 

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

Comments are closed.

You may also like