CVE-2026-29205 Overview
CVE-2026-29205 is an arbitrary file read vulnerability in cPanel & WHM affecting the cpdavd attachment download endpoints. The flaw stems from incorrect privileges management combined with insufficient path filtering, allowing unauthenticated network attackers to read arbitrary files on the server. The issue is tracked under CWE-250: Execution with Unnecessary Privileges. cPanel addressed the issue in the May 13, 2026 security update for cPanel & WHM WP2.
Critical Impact
An unauthenticated remote attacker can retrieve sensitive server files, including configuration data, credentials, and private keys, through the cpdavd attachment download endpoints.
Affected Products
- cPanel & WHM (WP2 release tier)
- cPanel cpdavd (WebDAV/calendar/contacts) daemon
- Servers exposing the cpdavd attachment download endpoints
Discovery Timeline
- 2026-05-13 - cPanel releases security update addressing CVE-2026-29205
- 2026-05-13 - CVE-2026-29205 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-29205
Vulnerability Analysis
The vulnerability resides in the attachment download endpoints exposed by cpdavd, the cPanel daemon that serves WebDAV, CalDAV, and CardDAV traffic. The daemon runs with elevated privileges to read mail and account data across users on the server. When a client requests an attachment, the endpoint constructs a filesystem path from request input without applying sufficient validation. Combined with the daemon's broad filesystem privileges, the endpoint can be coerced into returning files outside the intended attachment scope.
Because the attack vector is network-based and requires no authentication or user interaction, any reachable cPanel server is exposed. The disclosed content can include /etc/shadow-style secrets, API tokens, SSL private keys, mail spools, and database configuration files used to pivot deeper into the host.
Root Cause
The root cause is twofold and aligns with CWE-250. First, cpdavd performs file operations with privileges exceeding what the attachment download function requires. Second, the path parameter handed to the file open routine is not normalized or constrained to the attachment directory. Traversal sequences and absolute paths therefore reach the filesystem layer, where the daemon's privilege level satisfies the read.
Attack Vector
An attacker sends a crafted HTTP request to the cpdavd attachment download endpoint on the cPanel service port. The request includes a manipulated path or identifier that resolves outside the intended attachment storage. cpdavd opens the target file under its privileged context and streams the contents back in the HTTP response. No credentials, session, or victim interaction is required. Refer to the cPanel Security Advisory for CVE-2026-29205 for vendor-specific technical detail.
Detection Methods for CVE-2026-29205
Indicators of Compromise
- Requests to cpdavd attachment download endpoints containing ../, URL-encoded traversal sequences (%2e%2e%2f), or absolute paths such as /etc/, /root/, or /home/.
- HTTP 200 responses from cpdavd returning content types or sizes inconsistent with mail attachments.
- Unexpected reads of sensitive files (/etc/shadow, /etc/cpanel, .my.cnf, SSH keys) in audit or auditd logs originating from the cpdavd process.
- Spikes in request volume from unknown source IPs to cPanel service ports (2077, 2078, 2079, 2080).
Detection Strategies
- Parse cpdavd access logs for attachment download URIs containing path traversal patterns or non-attachment file extensions.
- Correlate web requests with filesystem access events generated by the cpdavd process to identify reads outside /var/cpanel/ mail attachment directories.
- Deploy WAF or reverse-proxy signatures that block traversal payloads on cPanel attachment routes.
Monitoring Recommendations
- Enable verbose logging on cpdavd and forward logs to a central SIEM for retention and correlation.
- Alert on any cpdavd process read of files under /etc, /root, ~/.ssh, or other sensitive paths.
- Monitor outbound data volume from cPanel hosts for anomalous responses that may indicate file exfiltration.
How to Mitigate CVE-2026-29205
Immediate Actions Required
- Apply the cPanel & WHM WP2 security update released on May 13, 2026 to all affected servers.
- Restrict network exposure of cpdavd ports (2077, 2078, 2079, 2080) to trusted networks where feasible.
- Rotate credentials, API tokens, and private keys that may have been accessible to cpdavd if compromise is suspected.
Patch Information
cPanel published fixed releases as part of the May 13, 2026 security update. Administrators should consult the cPanel Security Advisory for CVE-2026-29205 for the exact patched build numbers and update via upcp or the WHM update interface.
Workarounds
- If patching cannot be performed immediately, disable the cpdavd service on hosts that do not require WebDAV, CalDAV, or CardDAV.
- Place a hardened reverse proxy in front of cpdavd to filter requests containing traversal sequences or non-attachment paths.
- Limit source IP access to cpdavd listeners using host firewall rules until the patch is applied.
# Run cPanel update to pull the patched WP2 build
/scripts/upcp --force
# Temporary mitigation: stop cpdavd if WebDAV/CalDAV/CardDAV is not in use
whmapi1 configureservice service=cpdavd enabled=0 monitored=0
/scripts/restartsrv_cpdavd --stop
# Restrict cpdavd ports at the host firewall (example using firewalld)
firewall-cmd --permanent --remove-port=2079/tcp
firewall-cmd --permanent --remove-port=2080/tcp
firewall-cmd --reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
