Emergency Patch! CVE-2026-41940 in cPanel & WHM Enables Full Server Takeover
Published on April 29th, 2026, CVE-2026-41940 (CVSS 9.8, EPSS ≥ 95th pctl) allows unauthenticated remote attackers to gain administrative access to cPanel & WHM, and WP Squared through a missing authentication flaw [CWE-306]. Successful exploitation can grant control over hosted websites, databases, email accounts, the server operating system and configuration, and adjacent websites in shared-hosting environments.
CVE-2026-41940 has been added to CISA’s KEV list and is widely reported as actively exploited in the wild. Reports suggest the flaw was exploited as a zero-day as early as February 23, 2026. A full technical analysis and proof-of-concept (PoC) exploit code have been published by watchTowr Labs, and multiple national CERT agencies have issued alerts globally [1][2][3][4][5][6][7][8].
The potential global impact of CVE-2026-41940 is significant. cPanel’s vendor claims to have 1.5 million internet-exposed instances, roughly 70 million domains. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote vulnerability check that directly verifies the exploitability of CVE-2026-41940 in cPanel and WHM instances.
Technical Details of CVE-2026-41940
CVE-2026-41940 is an authentication bypass vulnerability [CWE-306] enabled by CRLF injection during cPanel’s session loading and saving process. Session state corruption is possible due to a combination of flaws in cPanel & WHM’s session handling logic. To be clear, CVE-2026-41940 is not a single missing authentication check. It results from multiple structural software flaws that can be chained into relatively low-complexity attacks. Multi-factor authentication (MFA) offers no protection against attacks exploiting CVE-2026-41940.
Below is a description of the fundamental flaws that make up CVE-2026-41940:
- Inconsistent sanitization of session data is caused by a flaw in the callers tasked with remembering to sanitize data before saving it. The filter_sessiondata routine, intended to remove dangerous control characters, was not enforced inside the saveSession function itself. This allows the password value to be taken from a decoded Authorization: Basic header and written without proper sanitization to the raw session file.
- The second flaw involves conditional encoding of the pass (password) field. cPanel session cookies contain a session identifier and an <ob> secret segment included after a comma. However, if an attacker supplies a valid session identifier and the <ob> segment without the comma, the server still resolves the correct session file but bypasses encryption. This means the malicious password value remains in plaintext form, may include embedded carriage return or line feed (CRLF) characters, and is written directly to the session file.
- The third flaw is a mismatch between the raw session file format and the JSON session cache. cPanel maintains both a key=value session file and an identical JSON-serialized cache. Normal session handling loads the JSON cache, while the injected CRLF payload remains inside the pass string. However, another reachable path, Cpanel::Session::Modify, explicitly loads the raw session file containing the attacker-injected lines and copies them to the JSON cache, promoting them to top-level session attributes.
- The attacker can inject session attributes to bypass authentication. By providing values such as hasroot=1, tfa_verified=1, user=root, and successful_internal_auth_with_timestamp, an attacker can force a root-level authenticated session. In the WHM authentication path, an internal or external authentication timestamp bypasses verification against /etc/shadow and returns AUTH_OK.
The cPanel & WHM administrative web interface provides shellcode execution directly through the built-in terminal interfaces: WHM’s Terminal gives authorized users in-browser command line access. cPanel’s SSH Access interface also allows management of the server’s SSH service and authorized_keys, meaning a privileged attacker can hijack SSH for remote access [T1563.001].
Global Risk Assessment of CVE-2026-41940
CVE-2026-41940 presents a severe global risk because it affects widely used internet-facing hosting infrastructure, and allows unauthenticated, remote, root-level access. cPanel’s vendor claims to have 1.5 million internet-exposed instances, roughly 70 million domains. CVE-2026-41940 has been added to CISA’s KEV list, and reports suggest the flaw was exploited as a zero-day as early as February 23, 2026. watchTowr Labs has published a full technical description and detailed instructions for exploitation, further increasing the probability of widespread compromise.
CVE-2026-41940 enables a wide array of secondary attacks including:
- Credential theft [T1552.001]
- Persistence [TA0003] via web shell deployment [T1505.003], SSH hijacking [T1563.001], or other means
- Data exfiltration [TA0010]
- Website hijacking [T1584.006]
- Email accounts hijacking [T1586.002] and phishing attacks [T1566]
- Website defacement [T1491.002]
- Malware hosting [T1608.001]
The impact is highest for hosting providers, managed service providers, web agencies, resellers, and organizations operating shared or multi-tenant hosting environments. A single compromised WHM administrative session may give an attacker access to multiple customers’ data and email accounts. Organizations should treat any exposed, unpatched instance as potentially compromised.
Remediation Guidance for CVE-2026-41940
Organizations should treat CVE-2026-41940 as an emergency patching priority and urgently apply patches for any affected cPanel & WHM, and WP Squared instances to a fixed release. All versions of cPanel and WHM after 11.40 are affected. Mitigation requires a restart of the cPanel cpsrvd service. If immediate patching is not possible, restrict access to cPanel and WHM interfaces using firewall rules or IP allowlists, especially on ports 2083, 2087, 2095, and 2096. cPanel lists the fixed cPanel & WHM versions as:
- 86.0.41
- 110.0.97
- 118.0.63
- 124.0.35
- 126.0.54
- 130.0.19
- 132.0.29
- 134.0.20
- 136.0.5
WP Squared has been fixed in version 136.1.7. Because CVE-2026-41940 is actively exploited, organizations should assume internet-facing instances may have been targeted before patching, and conduct a complete forensic analysis to determine system integrity. This includes reviewing authentication logs, session activity, and administrative changes for signs of unauthorized access. However, defenders should also consider that attackers may gain root-level access and subsequently affect the integrity of the server OS and system logs.
Summary
CVE-2026-41940 is a critical authentication bypass in cPanel & WHM, and WP Squared that enables unauthenticated administrative access and potential full server takeover. Active exploitation, public exploit details and widespread exposure make this an emergency for hosting providers globally. Organizations should patch immediately, restart services, and investigate exposed systems for compromise. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote vulnerability check that directly verifies the exploitability of CVE-2026-41940 in cPanel and WHM instances.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
