cPanel Zero-Day Alert: CVE-2026-41940 Auth Bypass Hits 40k+ Servers

A major security crisis has unfolded as cPanel & WHM administrators grapple with a critical zero-day vulnerability, designated CVE-2026-41940. The flaw, a severe authentication bypass, is reportedly impacting over 40,000 servers across the globe.

The vulnerability allows an unauthenticated remote attacker to bypass the login screen of the WHM management interface under specific network configurations, granting full root access to the hosting server.

Technical Analysis of CVE-2026-41940

The root cause is a logic error in the Two-Factor Authentication (2FA) bypass mechanism when handling legacy API tokens. By sending a malformed request that exploits a race condition in the session validation process, attackers can force the server to issue a valid administrative cookie.

Urgent Mitigation Steps:

• Update to Version 126.0.4+: cPanel has released an emergency patch. Automated updates should be monitored for success.
• Disable Remote WHM: If possible, restrict WHM access to VPN or specific static IPs.
• Rotate Root Credentials: As a precaution, assume any exposed server may have had its credentials scraped.

Security firms are reporting active scanning for this vulnerability, with payloads primarily originating from compromised IoT botnets. Administrators are urged to check /var/cpanel/logs/access_log for unusual GET requests to the /login/ endpoint.