CVE-2026-41940 is a critical authentication bypass in cPanel and WebHost Manager (WHM), the control panel that sits behind a large share of the world's small business hosting. cPanel manages roughly 70 million domains. The bug is rated CVSS 9.8 and gives an unauthenticated attacker root on the server.
cPanel released an emergency patch on 28 April. Researchers say it was being exploited as a zero-day for around 30 days before that.
What it actually does
The bug is a CRLF injection in the way cPanel handles login sessions. An attacker triggers a failed login to get a session cookie, then sends a crafted request that injects extra session properties, including user=root. The server treats the resulting session as a privileged one. No password, no two-step verification, no user interaction.
Once in, an attacker can plant backdoors on every site on the server, redirect visitors to malicious pages, send phishing from your domain, and pivot through WHM into every other account on the box.
Within hours of the advisory, the major hosting providers (Namecheap, Hosting.com, KnownHost, HostPapa, InMotion) firewalled their own customers off the cPanel ports while they patched. As Benjamin Harris of watchTowr Labs put it: "Within hours of the advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off." Daniel Pearson of KnownHost was blunter: "This has absolutely been used in the wild."
What to do if you're on shared hosting
Most UK SMBs running a WordPress site, an agency-managed site, or a reseller account are on a cPanel host whether they know it or not. You can't patch your host's server, but you can ask the right questions:
- Have you applied the cPanel patch for CVE-2026-41940? Which build version are you on?
- Were customer cPanel ports (2083, 2087, 2095, 2096) blocked between disclosure and patching?
- Have you reviewed account activity for signs of compromise during the period the bug was being exploited (roughly late March onwards)?
- If a customer account was compromised, how would we be told?
A host that can answer all four quickly is a host that takes this seriously. A host that can't is a problem you've just discovered.
While you're there, rotate the cPanel password, check that two-step verification is on, and review the list of FTP users, email accounts, and API tokens for anything you don't recognise.
What to do if you self-host WHM
Update immediately. The fixed builds are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 136.1.7. Run /scripts/upcp --force and confirm the build version after restart.
If you can't patch right now, block TCP ports 2083, 2087, 2095, and 2096 at the firewall, or stop the cpsrvd and cpdavd services. That cuts off the attack path until you can get the patch on.
Then go looking for compromise. Reports flag malformed session tokens, pre-authenticated sessions appearing without a corresponding login, and two-step verification events without a valid origin. Treat any of those as evidence the box was already touched.
How Steelwise can help
If you're not sure who's hosting your site, what control panel sits behind it, or how you'd find out whether your host has actually patched, that's the kind of question we sort out for clients. Get in touch.
Further reading
- BleepingComputer: cPanel, WHM emergency update fixes critical auth bypass bug
- The Hacker News: Critical cPanel authentication vulnerability identified
- The Stack: cPanel is under attack
- The Register: Bug of the year (so far)?