A newly disclosed security issue, tracked as CVE-2026-41940, has raised significant concerns across the web hosting ecosystem, particularly for systems running cPanel and WebHost Manager (WHM). The flaw, described as an authentication bypass security vulnerability, affects multiple authentication pathways and could potentially allow unauthorized users to gain access to sensitive control panel environments.
The vulnerability was formally acknowledged in a security advisory published on April 28, 2026, and later updated several times, with the most recent revision on April 29, 2026, at 02:46 PM CST. The advisory, titled “Security: CVE-2026-41940 – cPanel & WHM / WP2 Security Update 04/28/2026,” outlines the scope, impact, and mitigation steps associated with the issue.
According to the advisory, the root cause lies in an authentication bypass security flaw affecting cPanel software, including DNSOnly installations, across all versions released after 11.40. While initially lacking an official identifier, the issue is now widely referenced as CVE-2026-41940.
Affected Versions and Patch Releases
The vulnerability impacts all currently supported versions of cPanel and WHM. To address the issue, patches have been released for the following versions:
- 11.86.0.41
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.130.0.19
- 11.132.0.29
- 11.134.0.20
- 11.136.0.5
Additionally, WP Squared version 136.1.7 has also received a corresponding fix.
The advisory stresses that administrators should immediately update their systems using the standard update script:
/scripts/upcp –force
Once the update is complete, verification of the installed version and restarting the cPanel service (cpsrvd) is required to ensure the patch is properly applied.
Immediate Mitigation Steps for CVE-2026-41940
For environments where updates cannot be applied right away, temporary mitigations have been recommended. These include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall level, or disabling key services such as cpsrvd and cpdavd.
Administrators are also warned that systems with disabled automatic updates or pinned to specific versions will not receive patches automatically. These systems must be manually updated as a priority to mitigate the authentication bypass security risk posed by CVE-2026-41940.
Detection Script and Indicators of Compromise
To assist administrators in identifying potential exploitation attempts, a detection script has been provided. The script scans session files located in /var/cpanel/sessions for indicators of compromise (IOCs).
Key detection mechanisms include:
- Identification of session files containing both token_denied and cp_security_token, which strongly suggests exploitation attempts.
- Detection of pre-authentication sessions containing authenticated attributes.
- Sessions marked with tfa_verified but lacking legitimate origin markers.
- Multi-line password values, indicating possible session file corruption.
If the script detects suspicious activity, it outputs warnings or critical alerts. In cases where compromise is confirmed, administrators are instructed to:
- Purge all affected sessions
- Force password resets for root and all WHM users
- Audit system logs, such as /var/log/wtmp and WHM access logs
- Investigate persistence mechanisms like cron jobs, SSH keys, or backdoors
An example output included in the advisory demonstrates detection of an exploitation attempt originating from IP address 100.96.3.23, where an injected session token was identified alongside a failed authentication attempt.
Industry Response and Ongoing Monitoring
Although cPanel has not disclosed detailed technical specifics about CVE-2026-41940, third-party hosting provider Namecheap confirmed that the issue involves “an authentication login exploit that could allow unauthorized access to the control panel.”
As a precaution, Namecheap implemented firewall rules blocking TCP ports 2083 and 2087, temporarily restricting access to cPanel and WHM interfaces. The company stated, “Our team is actively monitoring the situation and will apply the official patch across all supported servers as soon as it becomes available.”
The provider also confirmed that patches had been deployed across Reseller and Stellar Business servers, with broader rollout ongoing.
Urgency Around Updating cPanel Systems
The advisory emphasizes that any server running an unsupported version of cPanel remains at risk from this authentication bypass security flaw. Administrators are strongly urged to upgrade to a supported and patched version as soon as possible.
“If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected,” the advisory notes.
