Prepared by: Brandon Sawyer, Vulnerability Analyst | Published: Thu 30 April 2026
On 28 April 2026, cPanel released security updates addressing a critical vulnerability affecting the cPanel & WHM and WP squared products. CVE-2026-41940 (CVSS v3.1: 9.8 - Critical) is an authentication bypass vulnerability that can allow remote threat actors unauthenticated administrative access to affected systems.
Currently, KnownHost (a managed cPanel host) are reporting that there is active exploitation in the wild with speculation of zero-day exploit occurring as early as 23 February 2026, prior to the vulnerability's public disclosure. CISA is yet to add CVE-2026-41940 to their Known Exploitable Vulnerabilities catalog but, due to the nature of the exploit and a public proof of concept exploit from watchTowr it is recommended to assess all affected systems immediately.
CVE-2026-41940 is an authentication bypass vulnerability that can allow remote threat actors unauthenticated administrative access to affected systems. cPanel has reported that the authentication bypass issue has been identified in the cPanel software (including DNSOnly) affecting all versions after "11.40.x". cPanel and WHM is web hosting control panel software used to manage websites. WHM provides the root level administration while cPanel is the user friendly interface portion. WP squared is the managed WordPress powered by cPanel which has also had a patch released in relation to CVE-2026-41940.
On 29 April 2026, security firm watchTowr released a thorough technical analysis and a proof of concept exploit. They report, the authentication bypass from CVE-2026-41940 is caused by Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel and WHM. Further technical information can be found at watchTowr Labs analysis.
Successful exploitation of CVE-2026-41940 can allow the threat actor full control over the cPanel host systems, its configurations and databases and the websites it manages. Threat actors can then leverage this access to create backdoors or web shells, redirect users to malicious locations, steal sensitive files or send spam and phishing emails.
Organisations running on premise instances of cPanel & WHM or WP Squared should prioritise upgrading to the below fixed version immediately:
| Product | Affected Versions | Fixed Version |
| cPanel & WHM | 11.110.x | 11.110.0.97 |
| 11.118.x | 11.118.0.63 | |
| 11.126.x | 11.126.0.54 | |
| 11.132.x | 11.132.0.29 | |
| 11.134.x | 11.134.0.20 | |
| 11.136.x | 11.136.0.5 | |
| WP Squared | 11.136.x | 11.136.1.7 |
The cPanel vendor advisory released the following step by step CLI guide for affected clients:
1. Update the server to one of the above-listed versions immediately via the cPanel update script via the command "/scripts/upcp --force"
2. Once the update has been completed, verify and confirm the cPanel build version being returned and perform a restart of the cPanel service (cpsrvd) via the commands "/usr/local/cpanel/cpanel -V"(for build version) and "/scripts/restartsrv_cpsrvd" (to restart the service).
3. Please note that if you have disabled cPanel updates or pinned your cPanel update configuration to a specific version, then these will not auto-update. Please identify and update these servers manually as a priority.
Some hosting providers have opted for the temporary workaround by blocking TCP ports 2083,2087,2095 & 2096 which host cPanel and WHM web services but it is strongly advised not to rely on this and instead, patch immediately.
At the time of writing, publicly confirmed detection coverage for CVE-2026-41940 is limited. It is expected that vulnerability management vendors will release detection signatures in line with standard update cycles. Organisations should monitor vendor advisories and ensure patches are applied.
cPanel have released an Indicators of Compromise (IoC) script for customers to run against their systems which checks for sessions in the filesystem. Please go to cPanel Advisory and navigate to "Detection Script" for instructions on how to copy and execute the script.
MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of CVE-2026-41940 across supported log sources.
Vulnerability Management customers: Environments will be assessed for vulnerable cPanel & WHM and WP squared versions; any exposure will be communicated through priority channels.
References
