CVE-2026-41940
Received Received - Intake
Authentication Bypass in cPanel and WHM

Publication date: 2026-04-29

Last updated on: 2026-05-04

Assigner: VulnCheck

Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41940
EUVD
EUVD-2026-26246
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
cpanel cpanel From 11.40 (inc) to 86.0.41 (exc)
cpanel cpanel From 88.0.0 (inc) to 110.0.97 (exc)
cpanel cpanel From 112.0.0 (inc) to 118.0.63 (exc)
cpanel cpanel From 128.0.0 (inc) to 130.0.19 (exc)
cpanel cpanel From 132.0.0 (inc) to 132.0.29 (exc)
cpanel cpanel From 134.0.0 (inc) to 134.0.20 (exc)
cpanel cpanel From 136.0.0 (inc) to 136.0.5 (exc)
cpanel cpanel From 120.0.0 (inc) to 124.0.35 (exc)
cpanel cpanel From 126.0.1 (inc) to 126.0.54 (exc)
cpanel whm From 11.40 (inc) to 86.0.41 (exc)
cpanel whm From 112.0.0 (inc) to 118.0.63 (exc)
cpanel whm From 128.0.0 (inc) to 130.0.19 (exc)
cpanel whm From 132.0.0 (inc) to 132.0.29 (exc)
cpanel whm From 134.0.0 (inc) to 134.0.20 (exc)
cpanel whm From 136.0.0 (inc) to 136.0.5 (exc)
cpanel whm From 88.0.0 (inc) to 110.0.97 (exc)
cpanel whm From 120.0.0 (inc) to 124.0.35 (exc)
cpanel whm From 126.0.1 (inc) to 126.0.54 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of CVE-2026-41940 can be performed using a provided detection script named ioc_checksessions_files.sh, which scans for indicators such as injected tokens, pre-authentication sessions with authenticated attributes, or suspicious origins in session files.

Additionally, a Python tool named watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py is available to verify if a cPanel/WHM instance is vulnerable by minting a pre-authentication session, sending a CRLF injection to leak a token, exploiting a gadget to propagate raw data into the cache, and verifying root access via the WHM version endpoint.

Commands to detect the vulnerability include running the detection script ioc_checksessions_files.sh to identify compromised session files.

Compliance Impact

This vulnerability allows unauthenticated remote attackers to gain unauthorized access to the control panel, which could lead to unauthorized access to sensitive data.

Such unauthorized access may result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and health information.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data to unauthorized parties.

Executive Summary

CVE-2026-41940 is an authentication bypass vulnerability found in cPanel and WHM software versions after 11.40. This flaw exists in the login flow and allows unauthenticated remote attackers to gain unauthorized access to the control panel without needing valid credentials.

The vulnerability is critical, with a CVSS v3.1 base score of 9.8, indicating it is easy to exploit remotely and can lead to full compromise of confidentiality, integrity, and availability of the affected system.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to bypass authentication and gain unauthorized access to the cPanel or WHM control panel.

  • Attackers can fully control the server's management interface.
  • They may modify server configurations, access sensitive data, and manage hosted websites.
  • The compromise can lead to data breaches, service disruptions, and further exploitation of the server.

Due to the high severity, immediate patching and mitigation steps are recommended to prevent unauthorized access.

Detection Guidance

Detection of CVE-2026-41940 can be performed by using a provided detection script named ioc_checksessions_files.sh, which scans for indicators of compromise such as injected tokens, pre-authentication sessions with authenticated attributes, or suspicious origins.

Additionally, a Python detection tool named watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py is available on GitHub. This tool verifies if a cPanel/WHM instance is vulnerable by minting a pre-authentication session, sending a CRLF injection to leak a token, exploiting a gadget to propagate raw data into the cache, and verifying root access via the WHM version endpoint.

Suggested commands include running the detection script ioc_checksessions_files.sh to identify suspicious session files and using the Python detection tool from the GitHub repository to test the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating cPanel & WHM to a patched version using the command `/scripts/upcp --force`.

After updating, verify the build version and restart the cPanel service using `cpsrvd`.

If automatic updates are disabled or pinned, perform manual updates to the patched versions.

As a temporary mitigation, block inbound traffic on TCP ports 2083, 2087, 2095, and 2096, or stop the `cpsrvd` and `cpdavd` services to prevent unauthorized access.

If compromise is detected, purge affected sessions, force password resets, audit logs, and check for persistence mechanisms.

Executive Summary

This vulnerability is an authentication bypass in certain versions of cPanel and WHM. It affects versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized access to the control panel.

Impact Analysis

The impact of this vulnerability is severe because it allows attackers to remotely access the control panel without authentication. This unauthorized access can lead to full compromise of the system, including the ability to view, modify, or delete data, change configurations, and potentially control the entire server environment.

Mitigation Strategies

Immediate mitigation steps include updating cPanel & WHM to a patched version using the command `/scripts/upcp --force`.

After updating, verify the build version and restart the cPanel service using `service cpanel restart` or by restarting the cpsrvd service.

If automatic updates are disabled or pinned, perform manual updates to the patched versions.

As a temporary mitigation, block inbound traffic on TCP ports 2083, 2087, 2095, and 2096, or stop the cpsrvd and cpdavd services to prevent unauthorized access.

If compromise is detected, purge affected sessions, force password resets, audit logs for suspicious activity, and check for persistence mechanisms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart