CVE-2026-41940 Overview
CVE-2026-41940 is an authentication bypass vulnerability in cPanel and WHM versions after 11.40. The flaw resides in the login flow and allows unauthenticated remote attackers to gain unauthorized access to the hosting control panel over the network. The weakness is classified under [CWE-306: Missing Authentication for Critical Function]. cPanel, WHM, and WP Squared instances exposed to the internet are at risk, and public proof-of-concept code has been published. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, and reports describe mass exploitation in Sorry ransomware campaigns.
Critical Impact
Unauthenticated attackers can bypass login controls on cPanel/WHM and chain access to remote code execution on shared hosting infrastructure.
Affected Products
- cPanel (versions after 11.40)
- WHM (Web Host Manager, versions after 11.40)
- cPanel WP Squared for WordPress
Discovery Timeline
- 2026-04-28 - cPanel publishes security update advisory
- 2026-04-29 - CVE-2026-41940 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-41940
Vulnerability Analysis
The vulnerability exists in the authentication path of the cPanel and WHM login flow. An attacker sends a crafted HTTP request to the login endpoint and obtains an authenticated session without supplying valid credentials. Because cPanel and WHM are administrative control planes for shared hosting, a bypass yields control over user accounts, mail, DNS, and file system resources tied to the server.
The vulnerability is network-reachable, requires no privileges, and needs no user interaction. Public analysis from Watchtowr and VulnCheck demonstrates that the bypass can be chained to remote code execution on the underlying host. The CWE mapping is [CWE-306], indicating that a critical function executes without verifying that the caller has been authenticated.
Root Cause
The login flow fails to enforce authentication on a code path that should require valid credentials. An attacker reaches authenticated functionality by manipulating request parameters that the login handler trusts without validation. The defect is present in cPanel and WHM versions after 11.40, including builds that ship with WP Squared.
Attack Vector
Exploitation is performed remotely over HTTPS against the cPanel (:2083) or WHM (:2087) management ports. An attacker submits a forged login request that the server accepts as authenticated. Once a session is established, the attacker performs administrative actions and leverages built-in cPanel functionality to upload files, run shell commands, or pivot to hosted sites. Public proof-of-concept tooling automates the full chain from unauthenticated request to command execution.
No verified exploit code is reproduced here. Technical write-ups are available in the Watchtowr Authentication Bypass Analysis and the VulnCheck cPanel Authentication Bypass Advisory.
Detection Methods for CVE-2026-41940
Indicators of Compromise
- Unexpected successful logins to cPanel (:2083), WHM (:2087), or Webmail ports (:2095, :2096) without preceding failed authentication attempts.
- Creation of new cPanel accounts, reseller accounts, or WHM API tokens that administrators did not authorize.
- Outbound connections from the cPanel host to unfamiliar IP addresses, or new cron jobs and SSH keys added to hosted accounts.
- Presence of ransom notes or file modifications linked to the Sorry ransomware campaign reported by BleepingComputer.
Detection Strategies
- Inspect /usr/local/cpanel/logs/access_log and login_log for POST requests to login endpoints that return session cookies but lack matching credential validation entries.
- Hunt for requests to /login/ and /cpsess* paths that originate from IP addresses absent from prior administrative baselines.
- Correlate web server logs with process telemetry to spot child processes spawned by cPanel daemons immediately after a login event.
Monitoring Recommendations
- Forward cPanel, WHM, and Apache logs to a central SIEM and alert on session creation without a successful credential check.
- Monitor file integrity on /usr/local/cpanel/base, /etc/passwd, and account home directories for unauthorized modifications.
- Track outbound traffic from hosting servers and alert on connections to known ransomware command-and-control infrastructure.
How to Mitigate CVE-2026-41940
Immediate Actions Required
- Apply the cPanel and WHM security update released on 2026-04-28 to all servers, including any WP Squared deployments.
- Restrict access to ports 2083, 2087, 2095, and 2096 to trusted management networks until patches are confirmed in place.
- Rotate all cPanel, WHM, reseller, and API token credentials, and invalidate active sessions on patched hosts.
- Audit hosted accounts for unauthorized files, cron jobs, SSH keys, and mail forwarders that may indicate prior compromise.
Patch Information
cPanel released fixed builds described in the cPanel WHM Security Update 04-28-2026 advisory. Version details are tracked in the cPanel Release Notes and, for WP Squared, in the WP Squared Changelog. CISA lists the issue in the Known Exploited Vulnerabilities Catalog, and federal agencies must remediate by the catalog deadline.
Workarounds
- Place cPanel and WHM behind a VPN or IP allowlist at the firewall or load balancer.
- Enable two-factor authentication on all cPanel and WHM accounts, recognizing that this does not fully neutralize the bypass but reduces follow-on abuse.
- Disable any unused services such as Webmail and WHM API endpoints on internet-facing interfaces.
# Example firewall restriction limiting cPanel/WHM ports to a management subnet
iptables -A INPUT -p tcp -m multiport --dports 2082,2083,2086,2087,2095,2096 \
-s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 2082,2083,2086,2087,2095,2096 \
-j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

