A serious security issue in cPanel and WebHost Manager (WHM) is now drawing global attention. The vulnerability, now tracked as CVE-2026-41940, allows attackers to bypass authentication and gain full administrative access to affected servers.
With a CVSS score of 9.8, the flaw is considered critical and has already been seen exploited in the wild as a zero-day.
The issue lies in the authentication flow of cPanel and WHM. Due to a flaw linked to CRLF injection, attackers can manipulate session data before login is completed. This allows them to create a valid admin session without providing credentials.
A remote attacker can bypass the login screen, gain root-level access, and take full control of the server. Once inside, attackers can read or modify all hosted websites, access databases, steal credentials, and even deploy malware.
cPanel has confirmed that all supported versions were affected, but patches have now been released. The issue is fixed in the following builds:
- 11.86.0.41
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.130.0.19
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
If your server is not running one of these versions or newer, it remains at risk.
The company has also rolled out fixes for WP Squared (version 136.1.7), which shares similar authentication components.
Security researchers and hosting providers have confirmed that this vulnerability has been actively exploited for weeks, possibly longer. Reports suggest attack attempts date back to February.
Major hosting providers, including Namecheap and others, responded quickly by temporarily blocking access to cPanel and WHM ports (2083 and 2087) to prevent unauthorized access. Some providers even restricted customer access to their own control panels as an emergency measure while patches were being deployed.
The impact is massive. Millions of servers run cPanel globally, and security researchers estimate that over 2 million exposed instances are accessible over the internet. This is especially dangerous for shared hosting environments, where a single compromised server could expose hundreds or thousands of websites.
The situation is so serious that the Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring urgent patching.
cPanel has released a detection script and highlighted suspicious patterns, including:
- Sessions with both token_denied and cp_security_token
- Sessions marked as authenticated without proper origin
- tfa_verified sessions without valid login flow
- Password fields containing unexpected newline characters
These signs may indicate attempted or successful exploitation.
If you are using cPanel or WHM, immediate action is necessary:
Update your server using:
/scripts/upcp --forceYou should confirm your version matches one of the patched builds. Do not forget to restart cPanel services after updating. You can also restrict access to WHM and cPanel ports. For best security, enable two-factor authentication.
If you cannot patch immediately, apply temporary mitigations. Block ports 2083, 2087, 2095, and 2096 at the firewall. You should also stop cPanel services (cpsrvd, cpdavd) if needed.
