SecBox
🇮🇹
vulnerabilita

CVE-2026-41940: cPanel and WHM authentication bypass, what to check now

CVE-2026-41940 is a critical authentication bypass in cPanel and WHM. Immediate patching, exposure reduction, and post-patch checks for hosting teams and SMEs.

30 April 20265 min readSecBox Global Team
CVE-2026-41940: cPanel and WHM authentication bypass, what to check now

Summary: CVE-2026-41940 is a critical vulnerability in the cPanel and WHM login flow. NVD describes it as an authentication bypass that allows unauthenticated remote attackers to gain unauthorized access to the control panel. For shared hosting, reseller servers, and any WHM instance exposed to the Internet, the priority is immediate patching, reduced management exposure, and indicator-of-compromise review.

Why this matters

cPanel published its security advisory on April 28, 2026 and updated it on April 30, 2026. The advisory says the issue affects cPanel, WHM, and DNSOnly versions after 11.40, with patched builds available for supported release tracks.

WHM is not just a dashboard. It controls hosting accounts, configuration, email, databases, web files, and administrative privileges. Unauthorized access can lead to web shells, malicious redirects, application credential theft, internal DNS changes, and persistence across customer accounts.

Technical detail of the chain

The useful defensive goal is to understand where to look, not to replay the exploit.

Public analysis points to a flaw in how cPanel and WHM load and save sessions. The cpsrvd service creates session files before authentication is complete. If untrusted input is written unsafely into that session file, an attacker can try to make pre-authentication session data contain attributes that should only exist after a valid login.

The chain described by researchers involves:

  • a session created during an unauthenticated request;
  • manipulation of the login flow and session-linked values;
  • newline injection into data later persisted on disk;
  • reloading the session with altered attributes;
  • logical promotion of the session past the point where it should fail.

This is why cPanel's IOC guidance looks for unusual combinations under /var/cpanel/sessions, such as sessions originating from badpass but containing token-related or authenticated-state fields. Defensively, the session file is a forensic artifact: origin, timestamp, token state, 2FA state, and reuse in HTTP logs must be correlated.

Log signals to review

During triage, prioritize:

  • whostmgrd or cpsrvd requests followed by unexpected session promotion;
  • sessions with badpass origin but later authenticated-looking attributes;
  • simultaneous token error fields and populated session token fields;
  • successful access shortly after failed logins from the same source;
  • requests to ports 2083, 2087, 2095, and 2096 from unexpected ASNs or countries;
  • changes to accounts, packages, DNS zones, email forwarders, or web files soon after the possible event.

If an indicator is positive, response should assume possible compromise. Clearing sessions is not enough: rotate credentials, review users, and check persistence.

Fixed versions

cPanel lists the following fixed versions:

  • 11.86.0.41
  • 11.110.0.97
  • 11.118.0.63
  • 11.126.0.54
  • 11.130.0.19
  • 11.132.0.29
  • 11.134.0.20
  • 11.136.0.5

For WP Squared, cPanel lists 136.1.7.

The practical rule is direct: if the server runs cPanel and its build is not fixed for its release track, treat it as exposed until verified otherwise.

Immediate actions

  1. Run the forced cPanel update following the vendor advisory.
  2. Confirm the build version returned by the server after the update.
  3. Restart cpsrvd as required by cPanel.
  4. If patching is not possible immediately, temporarily restrict public access to management ports 2083, 2087, 2095, and 2096, preferably behind VPN or administrator IP allowlists.
  5. Run the indicator checks recommended by cPanel.
  6. Review WHM access logs, cPanel sessions, recently created users, SSH keys, cron jobs, and files modified in the last 72 hours.

If updates are pinned, disabled, or the server is on an unsupported version, do not assume auto-update protected it. Manual verification is required.

Where to prioritize first

Highest priority systems include:

  • hosting providers and resellers with many accounts on the same WHM node;
  • cPanel servers directly exposed to the Internet;
  • environments where WHM is reachable without VPN or IP allowlisting;
  • servers that already show suspicious login activity on cPanel ports;
  • hosting nodes serving WordPress, email, and customer databases.

For SMEs using managed hosting, ask the provider for written confirmation: fixed version, date and time of patching, temporary port controls, and whether IOC checks were performed.

Post-patch checks

After updating, do not stop at "the version changed". Verify:

  • management services are reachable only where expected;
  • WHM and cPanel accounts have no unexpected keys, forwarders, or users;
  • no unusual PHP files appeared inside webroots;
  • no unauthorized cron jobs were added;
  • logs do not show suspicious sessions before the patch window;
  • clean backups or snapshots from before the incident window are available.

This is an authentication vulnerability. If exploitation is suspected, proper response includes credential rotation, account review, and persistence checks, not only patching.

Sources

How SecBox can help

SecBox helps reduce management-panel exposure, apply allowlists, monitor anomalous access, and build a post-patch verification checklist for hosting servers and business VPS environments.

Request an urgent exposure check

#cpanel#whm#cve-2026-41940#hosting#incident-response#patch-management
Back to Blog

Related Articles

vulnerabilita

Copy Fail CVE-2026-31431: Linux local privilege escalation risk for containers and CI