Web hosting software vendor cPanel has issued patches for a critical vulnerability in its software that is under exploitation and that allows attackers to bypass authentication.
The flaw, indexed as CVE-2026-41940, carries a common vulnerabilities scoring system rating of 9.8 out of 10, and gives unauthenticated attackers administrative rights to affected systems.
It is caused by a carriage return line feed (CRLF) injection in the login and session loading processes of cPanel and WHM, security vendor Rapid7 wrote in its technical analysis of the flaw.
Before authentication occurs, cpsrvd which is the cPanel service daemon writes a new session file to disk.
An attacker can manipulate the whostmgrsession cookie by omitting an expected segment of its value, avoiding the encryption process applied to attacker-supplied value.
This means the daemon creates a session file on disk even when a login attempt fails, and unsanitised input in that file can be manipulated to inject properties such as user=root, bypassing the password check entirely.
cPanel is a web-based control panel that gives website owners and administrators a graphical interface for managing their hosting accounts, covering email, databases, file management, and domain configuration.
There are around 70 million domains that use the web-based control panel.
WHM, or WebHost Manager, sits one level above cPanel and gives hosting providers and server administrators root-level control over the entire server, including the ability to create and manage individual cPanel accounts, configure TLS certificates, and set server-wide security policies.
One webhosting company, KnownHost, said the vulnerability has been exploited from late March.
Canada’s Centre for Cyber Security said the vulnerability allows unauthenticated remote attackers to gain access to administrative interfaces, allowing them to access cPanel and WHM administrative interfaces.
This means attackers could take control of hosted websites, databases, and email accounts, modify server configurations, and potentially compromise thousands of downstream sites on shared hosting servers.
cPanel has released a detection script to assist administrators in identifying compromised systems.
Indicators of compromise (IoC) include sessions containing both token_denied and cp_security_token with a method=badpass origin, and pre-authenticated sessions that contain authenticated attributes.
Administrators should audit access logs covering the period from approximately late March through to the date patching was confirmed.
They should also should run /scripts/upcp --force immediately to force an update regardless of whether the system believes it is already current.
