Hackers have been exploiting a critical-severity authentication bypass vulnerability in the cPanel & WHM (WebHost Manager) server and site management platform for months.
Tracked as CVE-2026-41940 (CVSS score of 9.8), the flaw was disclosed on April 28, when cPanel urged immediate patching, warning that all software versions after 11.40 are affected, but refraining from sharing technical information.
Affecting the login flow, the security defect could allow remote, unauthenticated attackers to gain administrative access to the control panel, essentially leading to system takeover.
As the Canadian Centre for Cyber Security points out, successful exploitation of the issue could allow an attacker to modify server configurations and potentially compromise all websites on shared hosting servers.
“Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages,” cybersecurity firm Rapid7 notes.
A Shodan search, the company warns, shows around 1.5 million internet-accessible cPanel instances that may be exposed to attacks.
Analyzing CVE-2026-41940, attack surface management firm WatchTowr discovered that upon a failed login attempt, the cPanel service daemon would write a pre-authentication session file to the disk, and that an attacker could manipulate a cookie so that attacker-controlled credentials are written to it in plaintext.
Essentially, the bug allows an attacker to inject specific characters via an authorization header to write specific parameters to the session file, and then trigger a reload of the file to authenticate using the injected credentials.
According to a Reddit post by hosting provider KnownHost, the vulnerability has been exploited in the wild since February 23, 2026.
Immediately after being notified of the issue, KnownHost, HostPapa, InMotion, Namecheap, and other hosting providers blocked access to cPanel & WHM ports to securely deploy patches.
The fixes were included in cPanel & WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, and in WP Squared version 136.1.7.
“If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” cPanel notes in its advisory.
cPanel has published a detection script, and WatchTowr released a Detection Artifact Generator to help administrators identify signs of compromise.
Related: ‘Copy Fail’ Logic Flaw in Linux Kernel Enables System Takeover
Related: Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure
Related: Chrome 147, Firefox 150 Security Updates Rolling Out
Related: Apple Patches iOS Flaw Allowing Recovery of Deleted Chats
