Secure ISS
NewsThreats
R

News

cPanel & WHM Authentication Bypass Vulnerability

Overview

  • CVE: CVE-2026-41940

  • Severity: Critical

  • CVSS: 9.3

  • Date: 30 April 2026

  • Vendor: cPanel, L.L.C.

  • Product: cPanel & WHM

cPanel has published a security update for a critical authentication bypass issue in the login flow of cPanel & WHM. The vulnerability affects multiple supported release tiers and can allow unauthenticated remote attackers to gain unauthorised access to the control panel.


Affected Versions

  • cPanel & WHM 11.110.0 before 11.110.0.97

  • cPanel & WHM 11.118.0 before 11.118.0.63

  • cPanel & WHM 11.126.0 before 11.126.0.54

  • cPanel & WHM 11.132.0 before 11.132.0.29

  • cPanel & WHM 11.134.0 before 11.134.0.20

  • cPanel & WHM 11.136.0 before 11.136.0.5

  • DNSOnly installations on affected cPanel builds are also covered by the fix


Vulnerability Breakdown

CVE-2026-41940 - Authentication Bypass in Login Flow

  • Severity: Critical

  • CVSS: 9.3

  • Description: A flaw in the cPanel & WHM login flow can allow unauthenticated remote attackers to bypass authentication and gain access to the control panel.

  • Impact: Unauthorised control panel access could expose administrative functions and increase the risk of broader system compromise.

  • Conditions: The affected service must be exposed and running a vulnerable version.

  • Notes: cPanel states DNSOnly is also covered by the same fix. The vendor advisory also notes a related WP Squared security update.


Mitigation

  • Update affected servers immediately to a patched build.

  • Run the cPanel update script: /scripts/upcp --force

  • Verify the installed build after updating: /usr/local/cpanel/cpanel -V

  • Restart the cPanel service after patching: /scripts/restartsrv_cpsrvd

  • Manually review any servers with disabled updates or pinned versions, as these may not auto-update.

  • If an immediate update is not possible, apply temporary mitigations by stopping cpsrvd and cpdavd, or block inbound traffic on ports 2083, 2087, 2095, and 2096 until patching can be completed.


Summary for IT Teams

  • Products: cPanel & WHM

  • Threat Level: Critical, CVSS 9.3

  • Action Required: Patch supported cPanel & WHM builds immediately, verify the installed version, restart cpsrvd, and prioritise any internet-facing or pinned systems for urgent remediation.


Reference

Need Help?

If you need assistance assessing exposure, validating patched versions, or coordinating urgent remediation across internet-facing systems, contact Secure ISS on 1300 769 460.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US