ZeroPath at Black Hat USA 2026

WHMCS CVE-2026-29204: Brief Summary of a Critical IDOR Leading to Cross Account cPanel Takeover

A brief summary of CVE-2026-29204, a CVSS 10.0 Insecure Direct Object Reference in WHMCS that allows any authenticated client area user to access another user's resources and cPanel account by manipulating the addonId parameter.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

WHMCS CVE-2026-29204: Brief Summary of a Critical IDOR Leading to Cross Account cPanel Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in the WHMCS billing platform allows any authenticated customer to access another customer's hosting resources and cPanel account simply by swapping an integer parameter in a request. Rated CVSS 10.0, this vulnerability represents a complete cross tenant compromise path on any shared WHMCS installation running version 7.4 or later.

WHMCS is the dominant billing and automation platform in the web hosting industry, powering tens of thousands of hosting companies worldwide. It handles customer signup, service provisioning, account management, and support automation. Because of this central role in the hosting supply chain, a vulnerability of this severity has outsized implications: a single exploited WHMCS instance can expose every customer account and their associated cPanel environments.

Technical Information

Root Cause: CWE 639 and the Missing Ownership Check

The vulnerability resides in the clientarea.php component of WHMCS. This endpoint accepts an addonId parameter that identifies a specific service addon belonging to a customer. The fundamental flaw is that WHMCS does not validate whether the authenticated user actually owns the addon referenced by the submitted addonId. This is a textbook instance of CWE 639: Authorization Bypass Through User Controlled Key, commonly known as an Insecure Direct Object Reference (IDOR).

When a legitimate request is made, the application should verify that the addonId in the request belongs to the session's authenticated user. Instead, WHMCS processes the request in the context of whichever account owns the referenced addon, regardless of who submitted the request.

Attack Flow

The exploitation path is straightforward:

  1. Obtain an authenticated session. The attacker registers a legitimate account on the target WHMCS installation or compromises any existing low privilege client area account.
  2. Enumerate addonId values. Because addon identifiers are typically sequential integers, the attacker can enumerate valid values through simple iteration.
  3. Substitute the addonId parameter. The attacker crafts a request to clientarea.php, replacing their own addonId with one belonging to a victim.
  4. WHMCS processes the request without ownership validation. The application grants the attacker access to the victim's associated resources.
  5. cPanel account takeover. Through the unauthorized addon access, the attacker can reach the victim's cPanel account, achieving full control over the victim's hosting environment.

Why the Authentication Requirement Does Not Reduce Severity

In shared hosting environments, every paying customer has a valid authenticated session in the WHMCS client area. This means the attacker pool is effectively the entire customer base of any given hosting provider. The barrier to exploitation is registering an account (often free or trivially cheap) and sending a modified HTTP request.

Temporary Workaround Limitations

Community discussions have explored implementing WAF rules to block requests containing the addonId parameter directed at clientarea.php. Security researchers have noted that such rules are difficult to craft accurately for IDOR vulnerabilities and will almost certainly break legitimate end user functionality within the portal. These should be treated as last resort measures only.

Affected Systems and Versions

The vulnerability affects all WHMCS installations from version 7.4 onward. The vendor has released fixes only for currently supported branches:

WHMCS SeriesAffected BuildsFixed BuildAction Required
WHMCS 9.xAll builds prior to 9.0.49.0.4Upgrade immediately
WHMCS 8.xAll builds prior to 8.13.38.13.3Upgrade immediately
WHMCS 7.xAll builds from 7.4.0 onwardNone availableMigrate to supported 8.x or 9.x branch
WHMCS CloudVariousAlready appliedNo action required

Notably, WHMCS 7.x installations will not receive a patch. Organizations still running 7.x must migrate to a supported release branch to remediate this vulnerability.

Vendor Security History

WHMCS maintains a security program that includes routine internal security audits and a Security Bounty Program encouraging responsible disclosure. The vendor has a track record of publishing security alerts, including past advisories related to third party extensions and themes. The decision to restrict the fix to supported branches (8.x and 9.x) while leaving 7.x unpatched is consistent with their support lifecycle policy but leaves a potentially significant number of installations exposed.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization