CVE-2026-41940: cPanel & WHM Authentication Bypass Back to Blog Vulnerabilities and Exploits CVE-2026-41940: cPanel & WHM Authentication Bypass Rapid7 Apr 29, 2026 | Last updated on May 5, 2026 | xx min read DISCOVER RAPID7 MDR Overview On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940 , the identifier subsequently assigned on April 29, 2026, has a CVSS score of and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems.
First-party vendor advisories are available. cPanel & WHM is web hosting control panel software used to manage websites and servers. WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.
A managed cPanel host, KnownHost, stated that CVE-2026-41940 is actively being exploited in the wild , with speculation of targeted zero-day exploitation happening as early as February 23, 2026, prior to the vulnerability’s public disclosure. Security firm watchTowr has published a technical analysis and proof-of-concept exploit for CVE-2026-41940. As such, widespread exploitation in the wild is expected to be imminent.
Technical overview Systems exposing the affected web service software are vulnerable by default. As of April 29, 2026, a technical analysis and proof-of-concept exploit have been published by security firm watchTowr. CVE-2026-41940 is an authentication bypass caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM. Before authentication occurs, `cpsrvd` (the cPanel service daemon) writes a new session file to the disk.
The vulnerability allows an attacker to manipulate the `whostmgrsession` cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value. Attackers can inject raw `\r\n` characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as `user=root`, into their session file.
After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token. Mitigation guidance Organizations running on-premise instances of cPanel & WHM or WP Squared should prioritize upgrading to a fixed version on an emergency basis. Some hosting providers have opted to temporarily institute workaround TCP port blocks for cPanel & WHM web services on ports 2083 and 2087.
However, defenders are strongly advised to patch, rather than implement workarounds. Affected Software: The vendor states that all versions after 11.40 are affected, prior to the following available fixed versions. cPanel & WHM 11.86.0 versions prior to fixed version 11.86.0.41 cPanel & WHM 11.110.0 11.110.0.97 cPanel & WHM 11.118.0 11.118.0.63 cPanel & WHM 11.126.0 11.126.0.54 cPanel & WHM 11.130.0 11.130.0.19 cPanel & WHM 11.132.0 11.132.0.29 cPanel & WHM 11.134.0 11.134.0.20 cPanel & WHM 11.136.0 11.136.0.5 WP Squared versions prior to 136.1.7 Please read the vendor advisory for the latest guidance.
Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-41940 with authenticated vulnerability checks available in the April 30, 2026 content release. Updates April 29, 2026: Initial publication. April 30, 2026: Update mitigation guidance with additional fixed version numbers and change wording to reflect availability of vulnerability checks.
Article Tags Emerging Threats Emergent Threat Response Rapid7 Author Posts Related blog posts Vulnerabilities and Exploits CVE-2026-33032: Nginx UI Missing MCP Authentication Rapid7 Vulnerabilities and Exploits FortiGate CVE-2025-59718 Exploitation: Incident Response Findings Eric Carey, Olivia Henderson +1 Threat Research The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report Rapid7 Labs Threat Research Introducing Hacktics and Telemetry, a Podcast from Rapid7 Labs Douglas McKee, Director, Vulnerability Intelligence See all posts