A critical authentication bypass vulnerability in cPanel & WHM is actively being exploited across the internet, putting an estimated 1.5 million servers at risk. Tracked as CVE-2026-41940 and rated CVSS 9.8 (Critical), this flaw allows remote attackers to gain full administrative access to affected servers without any credentials.
What Is the Vulnerability?
CVE-2026-41940 is an authentication bypass rooted in a CRLF injection flaw in the cPanel & WHM login process. By injecting carriage return and line feed characters into specific HTTP request headers, an unauthenticated attacker can manipulate the authentication flow and obtain a valid session as any user — including root-level WHM access.
The vulnerability affects all cPanel/WHM versions after v11.40, meaning virtually every modern deployment is at risk. WebPros International, the company behind cPanel, released a patch on April 28, 2026, but exploitation was already underway by at least February 23, 2026 — leaving a multi-month window of active zero-day abuse.
Who Is Being Targeted?
This is not a theoretical threat. Multiple threat actor groups have been observed exploiting CVE-2026-41940 in the wild, targeting:
- Government agency web infrastructure
- Managed Service Providers (MSPs) and web hosting companies
- Small and medium-sized businesses running shared hosting environments
Attackers have used the access to breach servers, deface websites, and encrypt data for ransomware. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency.
Why Is This So Dangerous?
cPanel & WHM powers a significant portion of the world’s shared web hosting. A single compromised WHM instance can give an attacker control over hundreds of client websites hosted on that server. The combination of:
- A CVSS score of 9.8 (nearly the maximum possible)
- No authentication required to exploit
- Remote exploitability over the internet
- 1.5 million exposed instances
…makes this one of the most dangerous vulnerabilities disclosed in 2026.
How to Fix It
The primary fix is straightforward: update cPanel & WHM to the latest version released on or after April 28, 2026. WebPros International pushed the patch automatically to systems configured for automatic updates, but you should verify your version regardless.
If you cannot patch immediately, apply the following interim mitigations:
- Restrict WHM and cPanel login access to trusted IP addresses only using cPanel’s IP address restriction feature or your server firewall (e.g., CSF/iptables).
- Audit recent WHM access logs for unauthorized logins, particularly from unfamiliar IP addresses.
- Enable two-factor authentication (2FA) on all cPanel and WHM accounts — while this doesn’t block the bypass, it adds an extra layer of defense.
- Monitor for unexpected file changes, new cron jobs, or unfamiliar user accounts that may indicate post-exploitation activity.
Act Now
Given the active exploitation and the number of servers exposed, there is no time to delay. Every hour a vulnerable cPanel instance sits unpatched is an opportunity for attackers to gain a foothold in your infrastructure. Check your cPanel version, apply the patch, and review your logs today.
At Solvanta, we help businesses keep their infrastructure protected and secure — from vulnerability assessments and patch management to continuous monitoring. If you’re unsure whether your servers are exposed or need help hardening your hosting environment, reach out to our team.