Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks
July 2, 2026
Chrome API Flaw Exposes Android Photos to Ransomware
July 2, 2026
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Home/CyberSecurity News/Critical cPanel 0-Day Authentication Bypass Vulnerability Actively Exploited
CyberSecurity News

Critical cPanel 0-Day Authentication Bypass Vulnerability Actively Exploited

Key Takeaways A critical zero-day authentication bypass vulnerability, CVE-2026-41940, in cPanel & WHM is under active exploitation. The flaw allows unauthenticated attackers to gain root-level...

Marcus Rodriguez
Marcus Rodriguez
April 30, 2026 3 Min Read
39 0

Key Takeaways

  • A critical zero-day authentication bypass vulnerability, CVE-2026-41940, in cPanel & WHM is under active exploitation.
  • The flaw allows unauthenticated attackers to gain root-level access to affected hosting control panels, impacting all cPanel versions after 11.40.
  • Security researchers have released a public proof-of-concept (PoC) exploit, escalating the urgency for immediate patching.
  • Emergency patches have been released by cPanel, and administrators are urged to update immediately.

A severe zero-day authentication bypass vulnerability impacting cPanel & WHM has been confirmed as actively exploited in the wild, sending critical alerts across the global web hosting sector. This flaw permits unauthorized individuals to circumvent login protocols entirely, potentially leading to root-level control over compromised hosting environments.

Table Of Content

  • Key Takeaways
  • Understanding the cPanel Zero-Day Authentication Bypass
  • Patched Versions and Remediation
  • What You Should Do

Designated as CVE-2026-41940, the vulnerability targets the authentication framework within cPanel & WHM, including DNSOnly setups. A public proof-of-concept (PoC) exploit, developed by security researchers at watchTowr, has since become available, intensifying the need for immediate corrective action.

Understanding the cPanel Zero-Day Authentication Bypass

The vulnerability’s core lies within the authentication mechanism of cPanel & WHM software. According to an official security advisory from cPanel, all versions beyond 11.40 are susceptible. This represents a vast attack surface, given cPanel’s significant market share in the shared hosting industry worldwide.

The exploit chain leverages a CRLF injection in conjunction with a session token leakage. This allows an attacker, without prior authentication, to hijack a session token, propagate it through the server’s internal cache, and ultimately achieve WHM root access. This entire process unfolds without requiring valid user credentials.

Sina Kheirkhah (@SinSinology), a researcher at watchTowr, detailed the four-step exploit sequence in a detection artifact generator:

  1. Minting a pre-authentication session to acquire a base session identifier.
  2. Dispatching a CRLF injection payload (utilizing Basic authentication and a no-ob cookie) to leak a valid session token via an HTTP 307 redirect.
  3. Initiating a do_token_denied request to inject the raw token into the server-side cache.
  4. Accessing /json-api/version to verify WHM root-level access, indicated by an HTTP 200 response with full version disclosure.

The PoC tool, authbypass-RCE.py, targets port 2087 (WHM) and has successfully demonstrated exploitation against vulnerable instances, including builds like 11.110.0.89 and older versions.

Reports indicate that cPanel was privately informed of the vulnerability approximately two weeks before active exploitation was detected. The emergence of confirmed in-the-wild attacks prompted cPanel to expedite its patch deployment, with the initial advisory released on April 28, 2026, at 12:05 PM CST. The advisory underwent several updates within 48 hours to include patched versions, updated mitigation strategies, and a detection script, highlighting the rapid evolution of the incident.

As a precautionary measure, numerous global hosting providers have reportedly temporarily taken cPanel-based control panels offline to prevent widespread unauthorized access.

Patched Versions and Remediation

cPanel has issued emergency patches for the following versions, as detailed in their security advisory:

  • 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54
  • 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5

For WP Squared (WP2) deployments, the patched version is 136.1.7.

Given that cPanel powers millions of hosting accounts globally across shared and VPS environments, the potential impact of CVE-2026-41940 is considerable. Authentication bypass vulnerabilities at this level are particularly dangerous because they expose entire server ecosystems, encompassing all hosted domains, email services, databases, and file systems, rather than just individual websites. The public release of a functional PoC significantly lowers the barrier to exploitation, and it is anticipated that opportunistic threat actors will soon integrate this into large-scale scanning campaigns.

What You Should Do

  • Immediately force update your cPanel & WHM installations using the command: /scripts/upcp --force.
  • Verify the updated build version with /usr/local/cpanel/cpanel -V and restart cpsrvd via /scripts/restartsrv_cpsrvd.
  • Manually update any servers with pinned versions or disabled auto-updates, as these will not receive the patch automatically and pose the highest risk.
  • If immediate patching is not feasible, implement one of the following temporary mitigations:
    • Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall.
    • Completely stop the cpsrvd and cpdavd services using WHM API commands.
  • Treat servers running unsupported cPanel versions (not eligible for the current patch) as compromised until proven otherwise, and prioritize an emergency upgrade to a supported version.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Europol dismantles €50M online fraud network using scam call centers

Next Post

EtherRAT Variant Uses Tftpd64 Installer to Steal Web3 Assets

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us