https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass
On April 28, 2026, cPanel issued an emergency security update addressing CVE-2026-41940, a critical authentication bypass vulnerability affecting cPanel & WHM and WP Squared products. Carrying a near-maximum CVSS score of 9.8, the flaw allows unauthenticated remote attackers to completely bypass authentication and gain unauthorised administrative access to affected systems. With approximately 1.5 million cPanel instances currently exposed to the internet, the scope of potential impact is massive, and active exploitation has already been confirmed in the wild, with suspected zero-day exploitation dating back to as early as February 23, 2026, well before public disclosure.
The vulnerability stems from a Carriage Return Line Feed (CRLF) injection flaw within cPanel’s login and session loading processes. Attackers can manipulate the whostmgrsession cookie and inject raw \r\n characters through a malicious authorisation header, causing the cPanel service daemon to write unsanitised session data to disk. This allows an attacker to insert arbitrary properties — such as user=root — into their session file, effectively granting themselves full administrator-level access without ever providing valid credentials. Security firm watchTowr has already published a technical analysis and proof-of-concept exploit, making widespread exploitation imminent.
Organisations running on-premise instances of cPanel & WHM or WP Squared are urged to patch on an emergency basis, upgrading to the fixed versions outlined in the vendor advisory. While some hosting providers have implemented temporary TCP port blocks on ports 2083 and 2087 as a workaround, I strongly advise patching as the primary course of action.