Overview On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940 , the identifier subsequently assigned on April 29, 2026, has a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems. First-party cPanel & WH
Full text archived locally
✦ AI Summary· Claude Sonnet
OverviewOn April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940, the identifier subsequently assigned on April 29, 2026, has a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems. First-party cPanel & WHM and WP Squared vendor advisories are available.cPanel & WHM is web hosting control panel software used to manage websites and servers. WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.A managed cPanel host, KnownHost, stated that CVE-2026-41940 is actively being exploited in the wild, with speculation of targeted zero-day exploitation happening as early as February 23, 2026, prior to the vulnerability’s public disclosure. Security firm watchTowr has published a technical analysis and proof-of-concept exploit for CVE-2026-41940. As such, widespread exploitation in the wild is expected to be imminent.Technical overviewSystems exposing the affected web service software are vulnerable by default.As of April 29, 2026, a technical analysis and proof-of-concept exploit have been published by security firm watchTowr. CVE-2026-41940 is an authentication bypass caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM.Before authentication occurs, `cpsrvd` (the cPanel service daemon) writes a new session file to the disk. The vulnerability allows an attacker to manipulate the `whostmgrsession` cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value. Attackers can inject raw `\r\n` characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as `user=root`, into their session file. After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token.Mitigation guidanceOrganizations running on-premise instances of cPanel & WHM or WP Squared should prioritize upgrading to a fixed version on an emergency basis. Some hosting providers have opted to temporarily institute workaround TCP port blocks for cPanel & WHM web services on ports 2083 and 2087. However, defenders are strongly advised to patch, rather than implement workarounds.Affected Software:The vendor states that all versions after 11.40 are affected, prior to the following available fixed versions.cPanel & WHM 11.86.0 versions prior to fixed version 11.86.0.41cPanel & WHM 11.110.0 versions prior to fixed version 11.110.0.97cPanel & WHM 11.118.0 versions prior to fixed version 11.118.0.63cPanel & WHM 11.126.0 versions prior to fixed version 11.126.0.54cPanel & WHM 11.130.0 versions prior to fixed version 11.130.0.19cPanel & WHM 11.132.0 versions prior to fixed version 11.132.0.29cPanel & WHM 11.134.0 versions prior to fixed version 11.134.0.20cPanel & WHM 11.136.0 versions prior to fixed version 11.136.0.5WP Squared versions prior to fixed version 136.1.7Please read the vendor advisory for the latest guidance.Exposure Command, InsightVM, and NexposeExposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-41940 with authenticated vulnerability checks available in the April 30, 2026 content release.UpdatesApril 29, 2026: Initial publication.April 30, 2026: Update mitigation guidance with additional fixed version numbers and change wording to reflect availability of vulnerability checks.Article TagsEmerging ThreatsEmergent Threat ResponseRapid7Author PostsRelated blog postsVulnerabilities and ExploitsCVE-2026-33032: Nginx UI Missing MCP AuthenticationRapid7Vulnerabilities and ExploitsFortiGate CVE-2025-59718 Exploitation: Incident Response FindingsEric Carey, Olivia Henderson +1Threat ResearchThe Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape ReportRapid7 LabsThreat ResearchIntroducing Hacktics and Telemetry, a Podcast from Rapid7 LabsDouglas McKee, Director, Vulnerability IntelligenceSee all posts