Critical cPanel 0-Day Auth Bypass Act Authentication Vulnerability

A critical authentication bypass vulnerability in cPanel & WHM is now confirmed under active exploitation in the wild. This zero-day revelation is sending shockwaves through the global web hosting industry.

The flaw, tracked as CVE-2026-41940, allows unauthenticated attackers to bypass login mechanisms entirely, potentially granting root-level access to affected hosting control panels.

A public proof-of-concept (PoC) exploit has since been released by security researchers at watchTowr, dramatically raising the urgency for immediate patching.

cPanel 0-Day Authentication Bypass Vulnerability

The vulnerability resides in the authentication layer of cPanel & WHM software, including DNSOnly deployments.

According to cPanel’s official security advisory, the issue affects all versions after 11.40, an enormous attack surface given cPanel’s dominant position in the shared hosting market worldwide.

The flaw involves a CRLF injection chained with session token leakage, enabling a pre-authenticated attacker to hijack a session token, propagate it through the server’s internal cache, and ultimately gain WHM root access — all without valid credentials.

WatchTowr researcher Sina Kheirkhah (@SinSinology) published a detection artifact generator demonstrating the exploit chain in four distinct steps:

1. Mint a pre-authentication session to obtain a base session identifier
2. Send a CRLF injection payload (Basic auth + no-ob cookie) to leak a valid session token via an HTTP 307 redirect
3. Fire a do_token_denied request to propagate the raw token into the server-side cache
4. Access /json-api/version to confirm WHM root-level access, returning HTTP 200 with full version disclosure

The PoC tool authbypass-RCE.py targets port 2087 (WHM) and successfully confirms exploitation against vulnerable instances running builds such as 11.110.0.89 and earlier.

Reports indicate the vulnerability was privately disclosed to cPanel approximately two weeks before public exploitation was observed

However, confirmed in-the-wild attacks forced cPanel to accelerate its patch rollout, with the initial advisory published on April 28, 2026, at 12:05 PM CST.

The advisory was subsequently updated multiple times within 48 hours to include patched versions, revised mitigation steps, and a detection script — reflecting the fast-moving nature of the incident.

Multiple global hosting providers have reportedly taken cPanel-based control panels offline as a precautionary measure to prevent mass unauthorized access.

Patched Versions

cPanel has released emergency patches across the following versions:

• 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54
• 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5

For WP Squared (WP2) deployments, the patched version is 136.1.7.

Administrators should prioritize the following actions without delay:

1. Force update immediately using: /scripts/upcp --force
2. Verify the build version with /usr/local/cpanel/cpanel -V and restart cpsrvd: /scripts/restartsrv_cpsrvd
3. Manually update pinned or auto-update-disabled servers — these will not receive the patch automatically and represent the highest-risk systems in any environment
4. If patching is not immediately possible, apply one of these mitigations:

• Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall level
• Stop cpsrvd and cpdavd services entirely via WHM API commands

Servers running unsupported cPanel versions that are not eligible for the current patch should be treated as compromised until proven otherwise and escalated for emergency version upgrades.

With cPanel powering an estimated millions of hosting accounts globally across both shared and VPS environments, the blast radius of CVE-2026-41940 is substantial.

Authentication bypass vulnerabilities at the control panel level are particularly dangerous because they expose not just a single website, but entire server ecosystems, including all hosted domains, email accounts, databases, and file systems.

The public release of a working PoC significantly lowers the barrier for exploitation, and opportunistic threat actors are expected to incorporate this into mass-scanning campaigns imminently.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.