Emergency Fix

CVE-2026-41940

Authentication Bypass in cPanel & WHM

Summary

cPanel & WHM, including DNSOnly and WP Squared, has a pre-authentication flaw in its login and session-handling flow. An unauthenticated attacker can abuse CRLF injection in the session-writing path to poison the on-disk session file and make the service reload attacker-controlled session attributes as if they belonged to an admin. The result is root-equivalent control of WHM and full takeover of hosted sites, databases, email, and server configuration.

Why Emergency Fix?

6/6

No authentication required

Commonly internet-facing deployment

No user interaction needed

Exploitable in default configuration

Active exploitation in the wild

High impact vulnerability

Exploitation Details

Type

Authentication Bypass

Is exploitable with default configuration?

Yes

Is authentication needed?

PoC / Exploit

Yes

github.com

Impact

Gain root-equivalent WHM access to control hosted sites, databases, email, and server settings.

Full System Compromise

Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker first triggers a failed login to mint a pre-auth session cookie and raw session file. They then reuse that session with the expected cookie shape removed so the password value is no longer safely encoded, and send a crafted Basic Authorization header containing CRLF sequences. That payload is written into the session file as new key/value lines, and a follow-up request to a token-denied or session-reload path causes cPanel to load the poisoned session and treat the attacker as an authenticated root user.

Detection Resources

Manual Detection

rfxn.com labs.watchtowr.com

Script Detection

support.cpanel.net sh.rfxn.com sh.rfxn.com

Scanner Detection

Tenable Nessus Qualys Rapid7 InsightVM

Affected Software

Vendor:cPanel

Product	Affected Versions
cPanel & WHM	all versions after 11.40 (including DNSOnly); fixed in 11.86.0.41, 11.94.0.28, 11.102.0.39, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5
WP Squared	versions prior to 136.1.7

Description

Linux-based web hosting control panel suite for managing websites, email, databases, DNS, SSL, and server administration.

Deployment:Commonly internet-facing

Protocol:HTTPS

Ports:2083, 2087, 2095, 2096

Affected Componentcpsrvd login and session-management flow for WHM/cPanel administration, including pre-auth session creation, session reload, and whostmgrsession cookie handling.

cpsrvd login and session-management flow for WHM/cPanel administration, including pre-auth session creation, session reload, and whostmgrsession cookie handling.

Affected Endpoints(4)/login/?login_only=1, /…

1./login/?login_only=1

2./

3./json-api/version

4./scripts2/listaccts

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Niche

Vendor Notifications

https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026 https://www.cpanel.net/blog/security/security-update-cve-2026-41940/

Remediation

Workaround

Until patched, block inbound traffic to cPanel management ports 2083, 2087, 2095, and 2096 and disable Service Subdomains, or stop cpsrvd and cpdavd on the host.

support.cpanel.net

Patch

Not available

Update

Upgrade cPanel & WHM to the patched branch versions (11.86.0.41, 11.94.0.28, 11.102.0.39, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, or 11.136.0.5) or upgrade WP Squared to 136.1.7+. Use /scripts/upcp --force and restart cpsrvd after upgrading.

support.cpanel.net

Threat Intelligence

EPSS Score84.4%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...

CISA KEV

Listed

Active Exploitation

Active

rapid7.com

Threat Actors1

Mr_Rot13

threat actor group deploying backdoors and post-exploitation payloads on compromised cPanel servers

Detection Rules3

Other

CVE-2026-41940: CRLF inside Authorization: Basic

Other

CVE-2026-41940: whostmgrsession missing valid ,OBHEX suffix

Other

CVE-2026-41940: badpass session with hasroot=1/tfa_verified=1/user=root

NVD Data

Published: Loading...Modified: Loading...

Description Summary

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVSS Base Score

9.8

Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:CWE-306 Missing Authentication for Critical Function

NVD:CVE-2026-41940

Version From:11.40, 11.40

Version Upto:86.0.41, 86.0.41, 136.1.7

Affected Software (CPE) (3)

•cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
•cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*
•cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*

Sources

Source	Article
support.cpanel.net	Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026
www.cpanel.net	CVE-2026-41940: Response, Actions and Next Steps
labs.watchtowr.com	The Internet Is Falling Down, Falling Down, Falling Down
rfxn.com	Reverse-Engineering CVE-2026-41940 (SessionScribe)
www.rapid7.com	CVE-2026-41940: cPanel & WHM Authentication Bypass
threatprotect.qualys.com	cPanel and WHM Authentication Bypass Vulnerability Exploited in the Wild
www.tenable.com	CVE-2026-41940
www.cisa.gov	Known Exploited Vulnerabilities Catalog
blog.xlab.qianxin.com	Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment
nvd.nist.gov	CVE-2026-41940 Detail

Priority History

Fix SoonLoading...

Initial analysis

Emergency FixLoading...

Elevated — additional risk factors confirmed