A critical authentication bypass vulnerability has been disclosed in cPanel & WHM and WP Squared, tracked as CVE-2026-41940. The issue affects cPanel software, including DNSOnly, across versions after 11.40, and has been assigned a critical severity due to the possibility of unauthenticated administrative access to affected control panels.
For hosting providers, managed service providers and organizations running internet-facing cPanel environments, this is not just another web panel vulnerability. A successful compromise of WHM can expose server configuration, hosted websites, databases, user accounts and operational control over the affected hosting environment.
What Is CVE-2026-41940?
CVE-2026-41940 is an authentication bypass vulnerability in the cPanel & WHM login and session handling flow. According to public technical analysis, the vulnerability is related to CRLF injection during session loading and saving, allowing an unauthenticated attacker to influence session data before normal authentication is completed.
In practical terms, this means an attacker may be able to bypass the login process and gain unauthorized access to the affected management interface. Because WHM provides administrative control over hosting infrastructure, exploitation can have a much wider impact than a single website compromise.
Why This Vulnerability Matters
cPanel and WHM are widely used across shared hosting, reseller hosting, agency hosting and managed server environments. A single affected WHM instance may manage multiple websites, accounts, databases, mailboxes and DNS configurations.
The risk is especially high because:
The vulnerability can be exploited remotely.
Authentication is not required before exploitation.
The affected service is commonly exposed to the internet.
Public technical analysis and proof-of-concept material have been released.
Active exploitation has been reported in the wild.
Rapid7 also noted that a basic Shodan query showed approximately 1.5 million exposed cPanel instances, although actual vulnerability depends on version, patch status and configuration.
Affected Products and Versions
According to cPanel’s security advisory, the issue affects cPanel software, including DNSOnly, across all versions after 11.40. cPanel has released patched versions for several release tiers.
Patched cPanel & WHM versions include:
11.86.0.41
11.110.0.97
11.118.0.63
11.124.0.35
11.126.0.54
11.130.0.19
11.132.0.29
11.134.0.20
11.136.0.5
For WP Squared, the patched version is:
136.1.7
Administrators should verify the latest vendor advisory before making production decisions, as cPanel has continued updating the advisory with additional guidance and patched version information.
Potential Business Impact
A compromised cPanel or WHM environment can create serious operational and security consequences. Depending on the environment, attackers may be able to:
Access hosted websites and application files
Modify DNS, email or account configurations
Access databases and backup data
Deploy web shells or malware
Create new administrative users
Disrupt websites hosted on the affected server
Pivot into connected infrastructure
For shared hosting and multi-tenant environments, the blast radius is particularly important. One vulnerable management interface may affect many downstream websites and customers.
Immediate Remediation Steps
The primary mitigation is to update affected systems to a patched version immediately. cPanel recommends updating the server using the cPanel update script, verifying the installed build and restarting the cPanel service after the update.
Recommended actions:
Update cPanel & WHM immediately
Run the official update process and move the server to a patched version supported by cPanel.
Verify the installed version
Confirm that the server is running one of the patched versions listed by the vendor.
Restart cPanel services after update
Restarting
cpsrvdensures the updated service is running properly.
Check servers with pinned or disabled updates
Servers with disabled automatic updates or pinned release tiers may not update automatically. These systems should be identified and remediated manually.
Use temporary mitigations only when patching is not immediately possible
cPanel lists temporary options such as blocking inbound traffic to cPanel-related ports or stopping affected services, but these should not replace patching.
Detection and Post-Patch Review
Patching is the most urgent step, but it should not be the only step. Because exploitation has been reported, organizations should also review their environments for signs of compromise.
Recommended checks include:
Review WHM and cPanel access logs for suspicious activity.
Inspect session-related files using the vendor-provided detection guidance.
Look for unexpected administrative access.
Audit newly created accounts or modified privileges.
Rotate credentials for root, WHM users and affected hosting accounts where compromise is suspected.
Review website files for web shells, unauthorized uploads or unexpected modifications.
Check outbound connections and scheduled tasks for persistence mechanisms.
cPanel’s advisory includes detection guidance for checking session files and indicators of compromise. Security teams should follow the latest vendor instructions when performing triage.
How Securelic Helps Reduce Exposure
Critical vulnerabilities like CVE-2026-41940 highlight a recurring security problem: many organizations do not have a continuously updated view of their external attack surface.
Securelic helps teams identify and monitor externally exposed assets before they become unmanaged risk. By combining attack surface discovery with automated security scanning, Securelic can help organizations:
Discover public-facing hosts and services
Identify exposed web management panels
Detect outdated or risky service configurations
Prioritize vulnerabilities based on external exposure
Generate actionable reports for remediation teams
Maintain continuous visibility instead of relying on one-time checks
For vulnerabilities affecting widely deployed internet-facing software, speed matters. Knowing which systems are exposed, which services are reachable and which assets require urgent review can significantly reduce response time.
Best Practices for cPanel & WHM Security
To reduce the risk of future control panel compromise:
Keep cPanel & WHM updated.
Avoid exposing management interfaces broadly to the internet.
Restrict WHM and cPanel access by trusted IP ranges where possible.
Enforce strong authentication and multi-factor authentication.
Monitor access logs and administrative actions.
Disable unused services and legacy accounts.
Maintain tested backups outside the affected server.
Regularly scan your external attack surface for exposed panels, outdated services and misconfigurations.
Management panels are high-value targets because they concentrate operational control. Treating them as critical infrastructure, not just convenience tools, is essential.
Summary
CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM and WP Squared. Because the vulnerability can allow unauthenticated access to administrative control panels, organizations should treat it as an emergency patching priority.
The most important actions are clear: update affected systems, verify patched versions, review logs and session indicators, rotate credentials where needed and continuously monitor external exposure.
Security teams should not wait for a periodic audit to discover exposed management interfaces. Continuous external attack surface visibility is now a practical requirement for reducing real-world exploitation risk.