CVE-2026-41940
Authentication Bypass in cPanel and WHM
Publication date: 2026-04-29
Last updated on: 2026-05-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpanel | cpanel | From 11.40 (inc) to 86.0.41 (exc) |
| cpanel | cpanel | From 88.0.0 (inc) to 110.0.97 (exc) |
| cpanel | cpanel | From 112.0.0 (inc) to 118.0.63 (exc) |
| cpanel | cpanel | From 128.0.0 (inc) to 130.0.19 (exc) |
| cpanel | cpanel | From 132.0.0 (inc) to 132.0.29 (exc) |
| cpanel | cpanel | From 134.0.0 (inc) to 134.0.20 (exc) |
| cpanel | cpanel | From 136.0.0 (inc) to 136.0.5 (exc) |
| cpanel | cpanel | From 120.0.0 (inc) to 124.0.35 (exc) |
| cpanel | cpanel | From 126.0.1 (inc) to 126.0.54 (exc) |
| cpanel | whm | From 11.40 (inc) to 86.0.41 (exc) |
| cpanel | whm | From 112.0.0 (inc) to 118.0.63 (exc) |
| cpanel | whm | From 128.0.0 (inc) to 130.0.19 (exc) |
| cpanel | whm | From 132.0.0 (inc) to 132.0.29 (exc) |
| cpanel | whm | From 134.0.0 (inc) to 134.0.20 (exc) |
| cpanel | whm | From 136.0.0 (inc) to 136.0.5 (exc) |
| cpanel | whm | From 88.0.0 (inc) to 110.0.97 (exc) |
| cpanel | whm | From 120.0.0 (inc) to 124.0.35 (exc) |
| cpanel | whm | From 126.0.1 (inc) to 126.0.54 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote attackers to gain unauthorized access to the control panel, which could lead to unauthorized access to sensitive data.
Such unauthorized access may result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict access controls and protection of personal and health information.
Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data to unauthorized parties.
Can you explain this vulnerability to me?
This vulnerability is an authentication bypass in certain versions of cPanel and WHM. It affects versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized access to the control panel.
How can this vulnerability impact me? :
The impact of this vulnerability is severe because it allows attackers to remotely access the control panel without authentication. This unauthorized access can lead to full compromise of the system, including the ability to view, modify, or delete data, change configurations, and potentially control the entire server environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-41940 can be performed using a provided detection script named ioc_checksessions_files.sh, which scans for indicators such as injected tokens, pre-authentication sessions with authenticated attributes, or suspicious origins in session files.
Additionally, a Python tool named watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py is available to verify if a cPanel/WHM instance is vulnerable by minting a pre-authentication session, sending a CRLF injection to leak a token, exploiting a gadget to propagate raw data into the cache, and verifying root access via the WHM version endpoint.
Commands to detect the vulnerability include running the detection script ioc_checksessions_files.sh to identify compromised session files.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating cPanel & WHM to a patched version using the command `/scripts/upcp --force`.
After updating, verify the build version and restart the cPanel service using `service cpanel restart` or by restarting the cpsrvd service.
If automatic updates are disabled or pinned, perform manual updates to the patched versions.
As a temporary mitigation, block inbound traffic on TCP ports 2083, 2087, 2095, and 2096, or stop the cpsrvd and cpdavd services to prevent unauthorized access.
If compromise is detected, purge affected sessions, force password resets, audit logs for suspicious activity, and check for persistence mechanisms.
Can you explain this vulnerability to me?
CVE-2026-41940 is an authentication bypass vulnerability found in cPanel and WHM software versions after 11.40. This flaw exists in the login flow and allows unauthenticated remote attackers to gain unauthorized access to the control panel without needing valid credentials.
The vulnerability is critical, with a CVSS v3.1 base score of 9.8, indicating it is easy to exploit remotely and can lead to full compromise of confidentiality, integrity, and availability of the affected system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to bypass authentication and gain unauthorized access to the cPanel or WHM control panel.
- Attackers can fully control the server's management interface.
- They may modify server configurations, access sensitive data, and manage hosted websites.
- The compromise can lead to data breaches, service disruptions, and further exploitation of the server.
Due to the high severity, immediate patching and mitigation steps are recommended to prevent unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-41940 can be performed by using a provided detection script named ioc_checksessions_files.sh, which scans for indicators of compromise such as injected tokens, pre-authentication sessions with authenticated attributes, or suspicious origins.
Additionally, a Python detection tool named watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py is available on GitHub. This tool verifies if a cPanel/WHM instance is vulnerable by minting a pre-authentication session, sending a CRLF injection to leak a token, exploiting a gadget to propagate raw data into the cache, and verifying root access via the WHM version endpoint.
Suggested commands include running the detection script ioc_checksessions_files.sh to identify suspicious session files and using the Python detection tool from the GitHub repository to test the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating cPanel & WHM to a patched version using the command `/scripts/upcp --force`.
After updating, verify the build version and restart the cPanel service using `cpsrvd`.
If automatic updates are disabled or pinned, perform manual updates to the patched versions.
As a temporary mitigation, block inbound traffic on TCP ports 2083, 2087, 2095, and 2096, or stop the `cpsrvd` and `cpdavd` services to prevent unauthorized access.
If compromise is detected, purge affected sessions, force password resets, audit logs, and check for persistence mechanisms.