CVE-2026-29203
chmod Symlink Following in cPanel Nova Plugin
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpanel | whm | From v110.0.114 (inc) |
| wp_squared | wp_squared | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the cPanel Nova plugin's Cpanel::Nova::Connector where a chmod call follows symbolic links (symlinks). This behavior allows an authenticated cPanel user to create a symlink at a user-controlled legacy Nova path within their home directory, which can lead to setting root permissions on arbitrary system files or directories.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) or local privilege escalation. Specifically, an attacker who is an authenticated cPanel user can exploit this to gain elevated permissions on system files or directories, potentially compromising system integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated cPanel user to set root permissions on arbitrary system files or directories via unsafe symlink handling, potentially leading to denial of service or local privilege escalation.
Such unauthorized privilege escalation and potential system compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and system integrity.
Organizations subject to these regulations must address this vulnerability promptly by applying the recommended patches to prevent unauthorized access and maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of cPanel & WHM or WP Squared installed on your system to check if it is vulnerable or patched.
You can use commands to check the current cPanel version, such as:
- rpm -qa | grep cpanel
- cat /usr/local/cpanel/version
Comparing the installed version against the patched version (v110.0.114 or later) will help determine if your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update your cPanel & WHM or WP Squared installation to the patched version that addresses this vulnerability.
For systems running CentOS 6 or CloudLinux 6, update directly to version v110.0.114.
Use the official update commands provided by cPanel to upgrade your system and verify the update afterward.
Applying this update will fix the unsafe symlink handling error and prevent potential denial of service or privilege escalation attacks.