CVE-2026-41940 · cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow

01 · The Real Story

This is the hosting provider’s master key left under the front doormat

CVE-2026-41940 is a pre-authentication bypass in cPanel & WHM’s session management layer. A remote attacker can abuse the login flow so cpsrvd writes attacker-controlled session data, then reload that session as authenticated without a valid password. Vendor guidance says every cPanel & WHM version after 11.40 is affected, with fixes shipped across supported branches including 11.86.0.41, 11.94.0.28, 11.102.0.39, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5, plus WP Squared 136.1.7.

The vendor’s 9.8 is fair as a starting point, but real-world conditions push this to a full operational critical. There is no attacker foothold requirement, no credential requirement, the management plane is commonly internet-exposed by design, public technical analysis and PoC material landed immediately, CISA added it to KEV on 2026-05-01, and follow-on compromise activity has already been reported. On multi-tenant hosting nodes, one hit is not one app lost; it is every site, mailbox, database, and reseller account on that server.

"Pre-auth admin takeover on internet-facing cPanel, with KEV status and live exploitation. Assume server compromise."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find exposed control planes

Attackers enumerate cPanel/WHM over default management ports such as 2083, 2087, 2095, and 2096 using internet telemetry and commodity scanning. Censys reported about 1.1 million exposed hosts and 6.7 million exposed web properties, while Rapid7 cited roughly 1.5 million internet-exposed cPanel instances.

Conditions required:

Target runs cPanel/WHM or WP Squared
Management or webmail ports are reachable from the internet

Where this breaks in practice:

Some providers temporarily blocked these ports during the patch window
Exposure counts do not cleanly distinguish patched from unpatched builds

Detection/coverage: External ASM finds this well; scanner identification is easier than version validation because many hosts do not return reliable version headers.

STEP 02

Abuse session creation in cpsrvd

Public research from watchTowr shows the login flow can be manipulated through Basic authentication handling so unsanitized attacker input reaches the on-disk session writer. The issue is not a brute-force problem; it is a logic flaw in how session data is written and later trusted.

Conditions required:

Unauthenticated remote access to the cPanel/WHM login surface
Vulnerable build in an affected branch

Where this breaks in practice:

Temporary inbound port blocks stop the request before it reaches cpsrvd
A reverse proxy or custom access policy may reduce direct internet reachability

Detection/coverage: Network controls may spot malformed or unusual auth-header patterns, but generic WAF coverage is uneven because this often rides the legitimate management interface.

STEP 03

Promote forged session to admin

After the session file is written, the service reloads it and treats attacker-supplied state as authenticated. watchTowr’s analysis shows the result can be administrative WHM access, effectively a root-equivalent control-plane compromise.

Conditions required:

Forged session file successfully written and reloaded
Target session handling follows the vulnerable code path

Where this breaks in practice:

Patched builds sanitize and harden the session path
Service restarts after updating matter because stale processes can preserve risk

Detection/coverage: Vendor IOC script and local log review help after the fact; Rapid7 shipped authenticated checks on 2026-04-30.

STEP 04

Take over tenants and monetize

Once inside WHM, the attacker owns the management plane: hosted sites, mail, databases, DNS, file managers, and downstream user accounts. This is why exploitation rapidly translated into follow-on compromise activity, including reports tied to backdoors and Sorry ransomware.

Conditions required:

Administrative panel access obtained
Hosted assets and accounts managed by the compromised node

Where this breaks in practice:

EDR, FIM, and downstream monitoring may catch persistence or ransomware staging
Blast radius is bounded to the compromised server or cluster, not the entire enterprise by default

Detection/coverage: Post-exploitation is more visible than initial access: file changes, account creation, webshell placement, cron edits, backup tampering, and encryption activity should light up decent Linux telemetry.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Confirmed exploited. cPanel states CISA added it to KEV on 2026-05-01; Rapid7 cites KnownHost reporting active exploitation with evidence as early as 2026-02-23; BleepingComputer later reported mass exploitation in `Sorry` ransomware activity.
Proof-of-concept availability	Public technical analysis/PoC exists. watchTowr Labs published exploit details on 2026-04-29.
EPSS	0.9053 from the user-provided intel, which is exceptionally high and consistent with what we would expect for a remotely reachable KEV-listed auth bypass.
KEV	Yes. Added to CISA KEV on 2026-05-01 per cPanel’s response post; that is strong evidence the vulnerability crossed from serious to actively operationalized.
CVSS and what it really means	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` is not inflated here. This is unauthenticated remote access to a management plane, with high impact across confidentiality, integrity, and availability.
Affected versions	Vendor says all versions after `11.40` are affected in cPanel & WHM, plus WP Squared before `136.1.7`. NVD records affected CPE ranges across legacy and supported branches.
Fixed versions	Supported-branch fixes include `11.86.0.41`, `11.94.0.28`, `11.102.0.39`, `11.110.0.97`, `11.118.0.63`, `11.124.0.35`, `11.126.0.54`, `11.130.0.19`, `11.132.0.29`, `11.134.0.20`, `11.136.0.5`, and `WP Squared 136.1.7`. cPanel also shipped a direct `11.110.0.103` path for some `CentOS 6/CloudLinux 6` servers pinned to `110.0.50`.
Scanning and exposure data	Rapid7 cited a naive Shodan query returning about 1.5M exposed instances. Censys said its queries returned about 1.1M exposed hosts and 6.7M exposed web properties, but also warned that internet scan data cannot reliably tell patched from unpatched builds.
Disclosure timeline	Patch released by cPanel on 2026-04-28; CVE published on 2026-04-29; watchTowr technical writeup landed 2026-04-29; KEV inclusion followed on 2026-05-01.
Researcher and detection coverage	cPanel credits Sybre Waaijer for responsible reporting. cPanel published an IOC script; Rapid7 shipped authenticated checks on 2026-04-30; Censys and external ASM can find exposure, but version-level certainty often requires local verification.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to CRITICAL (10.0/10)

The decisive factor is attacker position: this is an *unauthenticated remote* bypass on a management interface that is commonly exposed by design. KEV status and public exploitation evidence remove the last excuse to treat the vendor 9.8 as merely theoretical.

HIGH Technical exploitability and impact on a vulnerable internet-facing host

HIGH Active exploitation / KEV status

MEDIUM Current exposed-vs-unpatched population estimate

Why this verdict

Baseline stays maxed: vendor 9.8 assumes AV:N/PR:N/UI:N, and that is exactly the real attacker path here.
No foothold tax: the prerequisite is *public reachability*, not phishing success, internal network position, stolen creds, or a privileged role. That means this is an initial-access bug, not a post-compromise convenience feature.
Exposure narrowing is real but not enough to save you: only cPanel/WHM fleets are in scope, but those fleets are intentionally internet-facing and concentrated at hosting providers. Censys still saw about 1.1M hosts and 6.7M web properties, so the reachable population remains enormous.
Blast radius is amplified by tenancy: one compromised control plane can collapse hundreds or thousands of customer sites, mailboxes, and databases on the same node.
Operational signals push it upward: public watchTowr analysis on 2026-04-29, KEV on 2026-05-01, and exploitation reporting together justify moving from vendor critical to *drop-everything critical*.

Why not higher?

There is no bucket above CRITICAL, and this one already sits at the ceiling. The only meaningful downward pressure is that the flaw targets cPanel/WHM fleets rather than the whole Linux estate, but that scope limit is overwhelmed by internet exposure and control-plane blast radius.

Why not lower?

A lower rating would require real friction such as authenticated access, internal-only reachability, uncommon deployment, or unreliable exploitation. None of those apply cleanly here: the interface is commonly exposed, the exploit path is public, and KEV plus compromise reports say attackers are already cashing it in.

05 · Compensating Control

What to do — in priority order.

Block public access to cPanel ports — If any node is not yet patched, restrict inbound traffic to 2083, 2087, 2095, and 2096 immediately, within hours. This is the fastest way to break the unauthenticated remote path while you finish remediation.
Disable service subdomains — Apply the vendor-recommended service-subdomain shutdown where relevant immediately, within hours, so alternate paths do not keep the panel reachable after a port block.
Stop cpsrvd and cpdavd on stragglers — For systems that cannot be patched at once, stop the affected services immediately, within hours. This is ugly but appropriate for a KEV-listed pre-auth management-plane bypass.
Run the vendor IOC script — Use cPanel’s detection script on any host that was internet-facing before patching, and do it immediately, within hours. This is not just a vuln-validation exercise; it is compromise triage.
Constrain admin-plane reachability long term — After emergency handling, move cPanel/WHM behind VPN, allowlists, bastions, or provider-side access controls within the CRITICAL remediation window. The exploit is this week’s fire; the exposure model is the recurring cause.

What doesn't work

MFA alone does not fix this, because the flaw bypasses normal authentication flow before valid user auth is established.
Credential resets alone do not neutralize exposure on an unpatched host; the attacker does not need the password path you are resetting.
Relying on version banners from external scans does not prove safety; Censys explicitly notes many hosts do not expose enough version detail to separate patched from unpatched builds.

06 · Verification

Crowdsourced verification payload.

Run this on the target cPanel/WHM host as root or with sudo; it uses the local cPanel binary and needs no network access. Save it as check_cve_2026_41940.sh, then run sudo bash check_cve_2026_41940.sh to print VULNERABLE, PATCHED, or UNKNOWN and return exit code 1, 0, or 2 respectively.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_41940.sh
# Determine whether the local cPanel/WHM install is vulnerable to CVE-2026-41940.
# Exit codes: 0=PATCHED/NOT_AFFECTED, 1=VULNERABLE, 2=UNKNOWN

set -u

CPANEL_BIN="/usr/local/cpanel/cpanel"

ver_lt() {
  [ "$1" != "$2" ] && [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

ver_ge() {
  [ "$(printf '%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

print_result() {
  local status="$1"
  local detail="$2"
  echo "$status: $detail"
}

if [ ! -x "$CPANEL_BIN" ]; then
  print_result "UNKNOWN" "cPanel binary not found at $CPANEL_BIN"
  exit 2
fi

raw_version="$($CPANEL_BIN -V 2>/dev/null | tr -d '[:space:]')"
version="${raw_version#v}"

if [ -z "$version" ]; then
  print_result "UNKNOWN" "Unable to read cPanel version from $CPANEL_BIN -V"
  exit 2
fi

# Vendor states versions after 11.40 are affected.
if ver_lt "$version" "11.40.0.1" || [ "$version" = "11.40" ] || [ "$version" = "11.40.0.0" ]; then
  print_result "PATCHED" "Installed version $version is not in the affected range (vendor says affected versions are after 11.40)"
  exit 0
fi

# All newer branches after 11.136.0.5 are considered fixed per vendor note that later versions are patched.
if ver_ge "$version" "11.136.0.5"; then
  print_result "PATCHED" "Installed version $version is at or above 11.136.0.5"
  exit 0
fi

# Supported-branch fixed versions from vendor advisory.
if ver_ge "$version" "11.134.0.20" && ver_lt "$version" "11.136.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.134 branch"
  exit 0
fi
if ver_ge "$version" "11.132.0.29" && ver_lt "$version" "11.134.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.132 branch"
  exit 0
fi
if ver_ge "$version" "11.130.0.19" && ver_lt "$version" "11.132.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.130 branch"
  exit 0
fi
if ver_ge "$version" "11.126.0.54" && ver_lt "$version" "11.130.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.126 branch"
  exit 0
fi
if ver_ge "$version" "11.124.0.35" && ver_lt "$version" "11.126.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.124 branch"
  exit 0
fi
if ver_ge "$version" "11.118.0.63" && ver_lt "$version" "11.124.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.118 branch"
  exit 0
fi
if ver_ge "$version" "11.110.0.97" && ver_lt "$version" "11.118.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.110 branch"
  exit 0
fi
if ver_ge "$version" "11.102.0.39" && ver_lt "$version" "11.110.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.102 branch"
  exit 0
fi
if ver_ge "$version" "11.94.0.28" && ver_lt "$version" "11.102.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.94 branch"
  exit 0
fi
if ver_ge "$version" "11.86.0.41" && ver_lt "$version" "11.94.0.0"; then
  print_result "PATCHED" "Installed version $version is fixed in the 11.86 branch"
  exit 0
fi

# Everything after 11.40 but below fixed branch thresholds should be treated as vulnerable.
if ver_ge "$version" "11.40.0.1"; then
  print_result "VULNERABLE" "Installed version $version falls in an affected branch and is below the vendor fixed build for that branch or is on an older unsupported branch"
  exit 1
fi

print_result "UNKNOWN" "Unable to classify installed version $version"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

By Monday morning, inventory every cPanel/WHM and WP Squared node that is or was internet-reachable, put temporary port blocks or service shutdowns on any system not already fixed, and run compromise triage on anything exposed before patching. Because this CVE is KEV-listed and actively exploited, patch / mitigate immediately, within hours, overriding the noisgate mitigation SLA; the noisgate remediation SLA for a CRITICAL issue is ≤ 90 days, but this is one of the cases where consuming that full window would be reckless, so finish exposed-fleet patching in days and treat any laggard host as a likely incident, not routine patch debt.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.