Home Posts cPanel Zero-Day Alert: CVE-2026-41940 Auth Bypass Exploited
Technical Insight April 30, 2026

cPanel Zero-Day Alert: CVE-2026-41940 Auth Bypass Exploited

Dillip Chowdary

Dillip Chowdary

Founder & Principal AI Researcher

cPanel Zero-Day Alert: CVE-2026-41940 Auth Bypass Exploited

cPanel Zero-Day Alert: CVE-2026-41940 Auth Bypass Exploited

A critical zero-day vulnerability in cPanel & WHM, designated as CVE-2026-41940, has been identified as being under active exploitation. The flaw, an authentication bypass in the management interface, allows unauthenticated attackers to gain administrative access to hosting servers under specific configuration conditions.

Reports surfacing today indicate that the vulnerability has been utilized by sophisticated threat actors for several months prior to the discovery and subsequent patching efforts.

Technical Breakdown

The vulnerability resides in the way the cPanel Session Manager handles malformed headers during the handshake process. By injecting a specifically crafted sequence into the X-Forwarded-For and Session-ID fields, an attacker can trick the backend into validating a null or spoofed session as a legitimate root login.

Vulnerability Details:

  • Identifier: CVE-2026-41940
  • CVSS Score: 9.8 (Critical)
  • Impact: Unauthenticated Remote Code Execution (via Auth Bypass)
  • Affected Versions: cPanel & WHM versions 110.0.x through 124.0.x.

Exposure & Risk

Security researchers estimate that over 1.5 million instances of cPanel/WHM are currently exposed to the internet. Given cPanel's dominance in the shared hosting and VPS market, this zero-day represents a significant risk to the global web hosting infrastructure.

Threat actors are reportedly using the bypass to install persistent backdoors, steal database credentials, and pivot into internal networks.

Mitigation and Patching

cPanel has released emergency patches for all supported versions. Administrators are urged to: 1. Update Immediately: Ensure your cPanel/WHM installation is running the latest stable or LTS release. 2. Audit Sessions: Check for unusual root logins or sessions originating from unknown IP ranges in /usr/local/cpanel/logs/access_log. 3. Firewall Restrictions: Restrict access to ports 2087 (WHM) and 2083 (cPanel) to known, trusted IP addresses only.

View Official cPanel Security Advisory →

Primary Sources & Documentation

Deep Tech in Your Inbox

Join 50,000+ engineers who get our exhaustive technical breakdowns every morning. No fluff, just signal.