A critical security vulnerability has been identified in cPanel and WHM that allows unauthenticated attackers to gain full administrative access to affected servers. If you are running cPanel on a managed or self-managed server, immediate action is required.
What Has Been Discovered
A severe authentication bypass vulnerability, now tracked as CVE-2026-41940 with a CVSS score of 9.8 out of 10, has been disclosed in all currently supported versions of cPanel and WebHost Manager (WHM). The flaw exists in the login and session handling processes of cpsrvd, the core cPanel service daemon.
The root cause is a CRLF (Carriage Return Line Feed) injection vulnerability in the authentication flow. By sending a specially crafted request with a malicious Authorization header, an attacker can inject arbitrary session properties — including user=root — into session files written to disk before any authentication takes place. Upon reloading that session, the attacker effectively gains root-level administrative access to the server without ever providing valid credentials.
In plain terms: an unauthenticated remote attacker can take full control of your server.
Scope and Active Exploitation
This vulnerability affects cPanel and WHM versions after 11.40. Security researchers have identified over 2 million cPanel instances exposed to the internet — and reports confirm it has been actively exploited as a zero-day for at least 30 days prior to the public disclosure.
Indicators of active compromise include:
- Sessions containing both token_denied and cp_security_token with method=badpass
- Pre-authenticated sessions carrying authenticated attributes
- Sessions with tfa_verified but no valid origin
- Password fields containing newline characters
Moreover, our team identified that compromised servers include the following commands. You can check by executing the command history from your server’s CLI:
Immediate Mitigation – What You Need To Do
Step 1: Update cPanel/WHM
Run the forced update script via SSH:
root@localhost:~$ /scripts/upcp --forcePatched versions are:
| Branch | Patched Version |
|---|---|
| 11.86 | 11.86.0.41 |
| 11.110 | 11.110.0.97 |
| 11.118 | 11.118.0.63 |
| 11.126 | 11.126.0.54 |
| 11.130 | 11.130.0.19 |
| 11.132 | 11.132.0.29 |
| 11.134 | 11.134.0.20 |
| 11.136 | 11.136.0.5 |
Step 2: Verify Build Version
Confirm your server is on one of the patched versions as of Table 1.0.
Important: If you cannot patch immediately, block inbound traffic on ports 2083, 2087, 2095, and 2096 at your firewall, or stop the cpsrvd and cpdavd services until you can apply the patch.
Depending on what firewall you are using, you may allow access to the above ports only to specific, trusted IPs of yours.
Need Further Help?
If you’re unsure whether your server is affected, need assistance applying the patch, or want to discuss upgrading to a managed hosting plan where we handle security updates on your behalf, contact us immediately. Our engineers are on standby to assist.
