CVE-2026-29205 · Incorrect privileges management and insufficient path filtering

01 · The Real Story

This is a master key left in a side door, but only if the attacker can first wedge the door open with a delivered email

CVE-2026-29205 is a pre-auth arbitrary file read in cpdavd on cPanel & WHM / WP Squared caused by a privilege-drop failure plus insufficient path filtering in attachment-download handling. The vendor says it affects cPanel & WHM version 120 and higher; supported fixed builds are 11.124.0.40, 11.126.0.61, 11.130.0.25, 11.132.0.34, 11.134.0.28, 11.136.0.12, and WP Squared 11.136.1.15 and later. Public research shows successful exploitation reads files as root, including targets like /etc/shadow, but only after the attacker creates a specially named maildir path via email delivery.

Vendor HIGH 8.6 is directionally fair on technical impact, but too optimistic on ease at enterprise scale. The chain is unauthenticated and remote, yet it is not a straight-shot web bug: it depends on reachable cpdavd exposure, a valid mailbox guess, accepted SMTP delivery, and the vulnerable attachment path. Those frictions materially shrink the reachable population, so this stays HIGH, not CRITICAL.

"Pre-auth root file read is serious, but this is not a one-packet internet worm; mailbox and exposure friction keep it High, not Critical"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable cpdavd surface

The attacker starts with recon using nmap, curl, or the exposure checks embedded in Assetnote's research tooling. The practical target is cpdavd on 2079/2080 because the vulnerable attachment-download flow lives there, not on the better-known WHM login ports.

Conditions required:

Target runs cPanel & WHM / WP Squared in an affected version range
cpdavd is exposed on 2079/2080 or otherwise reachable from the attacker

Where this breaks in practice:

Many deployments expose only 2083/2087 and keep DAV ports filtered
Some admins disable or tightly scope CalDAV/CardDAV access entirely
WAFs and reverse proxies often do not sit in front of 2079/2080, but firewalls often do

Detection/coverage: Internet exposure scanners can flag open 2079/2080, but most vulnerability scanners will miss exploitability because they do not perform the full mailbox-seeding chain.

STEP 02

Seed the special maildir via SMTP

Per Searchlight Cyber / Assetnote research and the assetnote/cpanel2shell-scanner repository's --exploit mode, the attacker must first cause cPanel to create a specially named folder on disk by delivering mail to a guessed user+x-attachment-1-y@domain style address. This is the decisive friction point: no mailbox, no folder, no read primitive.

Conditions required:

Attacker can derive a hosted domain from cert SANs or other recon
At least one valid local part exists or can be guessed
Inbound mail for that address is accepted and delivered

Where this breaks in practice:

Requires a deliverable mailbox or accepted alias, which turns this into a setup chain rather than a one-request bug
External mail filtering, invalid recipient rejection, or disabled plus-addressing can break the setup
SMTP telemetry and mail logs provide defenders a better chance to notice unusual probing

Detection/coverage: Look for repeated RCPT TO attempts to unusual plus-addressed recipients and sudden creation of odd maildir folders. This is detectable in MTA logs, but few scanners validate it automatically.

STEP 03

Trigger traversal through attachment download

With the folder in place, the attacker sends a crafted CalDAV/CardDAV request that encodes traversal segments so cpdavd resolves a path outside the intended mailbox area. Assetnote's public write-up describes the privilege-drop object lifetime bug that let the read execute as root on vulnerable builds.

Conditions required:

Special folder exists on disk from step 2
Request reaches the vulnerable attachment-download endpoint
Host is still on a vulnerable branch or an incomplete early fix

Where this breaks in practice:

The path construction is brittle and product-specific, so commodity opportunistic spraying is harder than CVSS suggests
The vendor shipped an additional fix on 2026-05-14, reducing the window for fully vulnerable supported systems

Detection/coverage: App-layer logs may show odd encoded traversal patterns, but signature coverage is inconsistent because this is a niche DAV path rather than a mainstream web route.

STEP 04

Harvest secrets and pivot

The immediate impact is arbitrary file read, not code execution. In practice, reading /etc/shadow, service configs, tokens, API keys, database credentials, or user mail can drive rapid follow-on compromise, especially on shared hosting systems where one control plane server concentrates many tenants.

Conditions required:

Attacker knows which files to target for credential or secret extraction
Retrieved secrets are still valid and reusable

Where this breaks in practice:

No direct RCE from this CVE alone
Credential abuse after file disclosure may hit MFA, SSH restrictions, or downstream service hardening

Detection/coverage: File integrity monitoring does not help because the operation is a read. Focus on anomalous DAV requests, secret reuse, and post-disclosure login activity.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CISA KEV listing found. I found public researcher discussion and a published exploit chain, but not authoritative CISA or vendor confirmation of broad active exploitation for this CVE.
Proof-of-concept / exploit availability	Public exploit path exists. Searchlight Cyber / Assetnote published a technical write-up and the repo `assetnote/cpanel2shell-scanner` includes an opt-in `--exploit` mode for CVE-2026-29205.
EPSS	0.031% (9th percentile) per the GitHub Advisory Database's FIRST-backed EPSS display. That is very low and is strong downward pressure versus the vendor CVSS.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog as checked during this reassessment.
CVSS vector meaning	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L` means unauthenticated network reach with no user action, but the vector does not capture the real exploit chain's mailbox-seeding prerequisite.
Affected versions	Vendor advisory says cPanel & WHM versions 120 and higher are affected.
Fixed versions	11.124.0.40, 11.126.0.61, 11.130.0.25, 11.132.0.34, 11.134.0.28, 11.136.0.12, and WP Squared 11.136.1.15 and later. The advisory notes an additional fix released on 2026-05-14 and backported across supported versions.
Scanning / exposure reality	Censys reported 1,052,657 internet-visible cPanel/WHM hosts overall, but that is product-level exposure, not confirmed vulnerable `cpdavd` exposure. Inference: the reachable population for this CVE is smaller because it depends on DAV ports/services, commonly 2079/2080, being exposed.
Disclosure timeline	CVE record and vendor advisory published on 2026-05-13; GitHub Advisory published on 2026-05-14; vendor advisory updated on 2026-05-14 with an additional fix and again on 2026-05-15.
Reporting researchers	Shubham Shah, Adam Kues, and Patrik Grobshäuser from Assetnote, credited by cPanel.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (7.4/10)

The decisive factor is that exploitation is pre-auth but not one-step: the attacker needs a reachable DAV surface and must successfully seed a special maildir through SMTP before the file read works. That materially narrows real-world exposure, but once those conditions are met the impact is still root-level file disclosure on a high-value internet-facing control plane.

HIGH Affected/fixed version mapping from vendor sources

MEDIUM Real-world exposure reduction from DAV-port reachability

MEDIUM Current exploitation prevalence assessment

Why this verdict

Downgrade for setup friction: this is not a pure single-request pre-auth bug; the public exploit chain requires a deliverable mailbox guess and SMTP-driven folder creation first.
Downgrade for reachable population: only deployments with vulnerable cpdavd exposure on the relevant DAV surface are reachable; many enterprises running cPanel do not broadly expose 2079/2080.
Stayed HIGH because impact is ugly: once the chain lands, the attacker can read arbitrary files as root, which is enough to steal password hashes, API keys, database credentials, and mail content for fast follow-on compromise.

Why not higher?

It is not CRITICAL because the CVSS vector overstates ease in the field. The mailbox-seeding requirement, service-specific exposure, and absence of KEV-backed mass exploitation evidence make this meaningfully less sprayable than a one-packet auth bypass or RCE.

Why not lower?

It should not fall to MEDIUM because the post-condition is still root-scope file disclosure on an internet-facing hosting control plane. Even without direct RCE, the likely follow-on value of stolen secrets is high enough that defenders should treat exposed, affected hosts as serious patch candidates.

05 · Compensating Control

What to do — in priority order.

Restrict DAV ports — Block inbound access to 2079/2080 from the public Internet and limit to trusted admin/VPN networks where business-acceptable. For a HIGH verdict, deploy this within 30 days if you cannot patch immediately; it directly breaks the exploit path at the first step.
Disable unused CalDAV/CardDAV exposure — If the environment does not need cpdavd externally, turn off or tightly scope those services. For a HIGH verdict, do this within 30 days because removing the reachable surface is the fastest way to collapse attacker opportunity.
Harden inbound mail acceptance — Tighten mailbox validation, alias handling, and recipient acceptance monitoring so unusual plus-addressed probes are easier to detect and less likely to create the required folder structure. Deploy within 30 days as a friction multiplier, not a substitute for the vendor fix.
Monitor for odd plus-addressing and DAV requests — Alert on bursts of RCPT TO attempts to synthetic plus-addresses and on encoded traversal-like requests hitting cpdavd. Stand up the detections within 30 days to catch exploit prep and post-disclosure follow-on activity.

What doesn't work

A standard WAF on the main website often does nothing because the vulnerable traffic may hit cpdavd directly on 2079/2080, outside the normal reverse-proxy path.
File integrity monitoring does not stop this issue because the attacker is reading files, not modifying them.
Password rotation alone is incomplete; the vuln can expose many non-password secrets such as API tokens, config files, and mail content.

06 · Verification

Crowdsourced verification payload.

Run this on the target cPanel/WP Squared host, not from a scanner workstation. Invoke as sudo bash check-cve-2026-29205.sh; root is preferred so /usr/local/cpanel/cpanel -V and local files are readable, though most installs work with a regular shell account too.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-29205.sh
# Local version-based verifier for cPanel & WHM / WP Squared builds fixed for CVE-2026-29205.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

CPANEL_BIN="/usr/local/cpanel/cpanel"
VERSION_FILE="/usr/local/cpanel/version"

get_version() {
  if [ -x "$CPANEL_BIN" ]; then
    "$CPANEL_BIN" -V 2>/dev/null && return 0
  fi
  if [ -r "$VERSION_FILE" ]; then
    cat "$VERSION_FILE" 2>/dev/null && return 0
  fi
  return 1
}

ver_ge() {
  # returns 0 if $1 >= $2 using sort -V
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

VERSION_RAW="$(get_version 2>/dev/null)"
if [ -z "${VERSION_RAW:-}" ]; then
  echo "UNKNOWN - cPanel version not found"
  exit 2
fi

VERSION="$(echo "$VERSION_RAW" | tr -d '[:space:]')"

# Expect versions like 11.134.0.28
IFS='.' read -r MAJOR BRANCH PATCH BUILD EXTRA <<< "$VERSION"
if [ -z "${MAJOR:-}" ] || [ -z "${BRANCH:-}" ] || [ -z "${PATCH:-}" ] || [ -z "${BUILD:-}" ]; then
  echo "UNKNOWN - unrecognized version format: $VERSION"
  exit 2
fi

if [ "$MAJOR" != "11" ]; then
  echo "UNKNOWN - unexpected cPanel major version: $VERSION"
  exit 2
fi

case "$BRANCH" in
  0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119)
    echo "PATCHED - not in vendor affected range (affected: 120 and higher)"
    exit 0
    ;;
  120|121|122|123)
    echo "VULNERABLE - affected unsupported branch ($VERSION); upgrade to a supported fixed branch"
    exit 1
    ;;
  124)
    FIX="11.124.0.40"
    ;;
  126)
    FIX="11.126.0.61"
    ;;
  130)
    FIX="11.130.0.25"
    ;;
  132)
    FIX="11.132.0.34"
    ;;
  134)
    FIX="11.134.0.28"
    ;;
  136)
    FIX="11.136.0.12"
    ;;
  *)
    # Vendor states all further versions are patched.
    if [ "$BRANCH" -gt 136 ] 2>/dev/null; then
      echo "PATCHED - newer branch than vendor fixed branches ($VERSION)"
      exit 0
    fi
    echo "UNKNOWN - branch not covered by local logic: $VERSION"
    exit 2
    ;;
esac

if ver_ge "$VERSION" "$FIX"; then
  echo "PATCHED - $VERSION >= $FIX"
  exit 0
else
  echo "VULNERABLE - $VERSION < $FIX"
  exit 1
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull an inventory of every cPanel/WP Squared host, then immediately separate internet-exposed cpdavd on 2079/2080 from internal-only systems. For this HIGH reassessment, use the noisgate mitigation SLA to restrict or disable external DAV exposure within 30 days, and use the noisgate remediation SLA to move every affected host to a fixed build within 180 days; prioritize externally reachable systems first, especially anything still on early 11.134 builds before 11.134.0.28.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.