Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium

Warning: Critical authentication bypass in cPanel & WHM, Patch Immediately!

Image
Decorative image
Veröffentlicht : 30/04/2026
  • Last update: 30/04/2026
  • Affected software:
    → cPanel & WHM (ALL versions)
  • Type: Authentication bypass
  • CVE/CVSS
    → CVE-2026-41940: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

Risks

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM, a widely deployed web hosting management platform. The vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems.

The issue has a CVSS score of 9.8 and requires no authentication or user interaction. Public technical analyses and proof-of-concept code are already available, significantly lowering the barrier to exploitation. In addition, there are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day prior to public disclosure.

cPanel & WHM is commonly exposed to the internet and is used to manage hosting environments, including websites, databases, and server configurations. This makes it an attractive target for threat actors, as successful exploitation can provide control over entire hosting infrastructures and potentially large numbers of websites.

Description

The vulnerability is caused by improper handling of session data within cPanel & WHM. Due to insufficient sanitisation during session creation and processing, an attacker can craft malicious requests that manipulate how session information is stored and interpreted by the system.

By exploiting this flaw, an attacker can inject controlled data into session files and effectively alter authentication-related attributes. This allows the attacker to bypass the normal authentication flow and establish a session that is treated as fully authenticated, even without valid credentials.

Once access is obtained, the attacker can operate with administrative privileges. This includes full control over the server, access to hosted websites and databases, and the ability to create persistence mechanisms such as backdoors or additional user accounts. Given the central role of cPanel in hosting environments, this can lead to large-scale compromise affecting multiple customers and services.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/
https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/