ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-29205 — Arbitrary File Read in cPanel cpdavd Attachment Endpoints

A brief summary of CVE-2026-29205, a high severity arbitrary file read vulnerability in cPanel's cpdavd service caused by incorrect privilege management and insufficient path filtering. Includes patch details across all affected release branches.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Quick Look: CVE-2026-29205 — Arbitrary File Read in cPanel cpdavd Attachment Endpoints
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated arbitrary file read in cPanel's DAV daemon just landed with a CVSS score of 8.6, and it arrives during a period when threat actors are already actively targeting cPanel infrastructure through a separate authentication bypass. For hosting providers and system administrators running cPanel and Web Host Manager version 120 or higher, CVE-2026-29205 exposes sensitive server files, including configuration data and credentials, to any remote attacker who can reach the cpdavd service.

Technical Information

The vulnerability lives in cpdavd, the cPanel DAV daemon responsible for handling WebDAV operations including file attachment downloads. Two distinct but intertwined flaws combine to create the exploitable condition.

Root Cause: Privilege Management and Path Filtering

First, the privilege management flaw. When cpdavd processes a file download request through its attachment download endpoints, it fails to properly drop elevated privileges before performing file system read operations. The daemon continues to operate with its higher level service privileges during the file retrieval, meaning any file accessible to the daemon's process context is fair game. This is classified under CWE-250: Execution with Unnecessary Privileges.

Second, the path filtering flaw. The endpoints responsible for serving attachment downloads do not adequately validate or sanitize the requested file path. Directory traversal sequences are not properly neutralized, allowing an attacker to escape the intended download directory.

Attack Flow

The exploitation path is straightforward:

  1. An external, unauthenticated attacker identifies a cPanel instance running version 120 or higher with the cpdavd service exposed.
  2. The attacker crafts a request to one of the cpdavd attachment download endpoints, injecting directory traversal sequences into the file path parameter.
  3. Because the path filtering is insufficient, the traversal sequences are not blocked or sanitized, allowing the request to reference files outside the authorized download directory.
  4. Because the daemon has not dropped its elevated privileges before performing the file read, it successfully opens and returns the contents of the requested file.
  5. The attacker receives the contents of arbitrary files on the server, potentially including /etc/shadow, database credentials, API keys, or other sensitive configuration data.

The combination of these two flaws is what elevates the severity. Path traversal alone with properly dropped privileges might limit the attacker to files readable by a restricted user. Privilege retention alone without path traversal would confine reads to the intended directory. Together, they grant broad, unauthenticated file system read access.

Patch Information

cPanel issued a public patch for CVE-2026-29205 on May 13, 2026. The fix addresses both root causes simultaneously. The privilege management logic has been corrected so that the daemon drops to the appropriate restricted user context before any file I/O is performed on the requested path. Additionally, stricter path filtering and canonicalization have been introduced to prevent directory traversal sequences from escaping the intended download directory.

The fix has been rolled out across all active cPanel and WHM release branches:

ProductFixed Version
cPanel & WHM (v124 branch)11.124.0.38
cPanel & WHM (v126 branch)11.126.0.59
cPanel & WHM (v130 branch)11.130.0.23
cPanel & WHM (v132 branch)11.132.0.32
cPanel & WHM (v134 branch)11.134.0.26
cPanel & WHM (v136 branch)11.136.0.10
WP Squared11.136.1.12

All subsequent builds within each branch also contain the fix. The vulnerability affects cPanel and WHM version 120 and higher, meaning older branches below 120 are not impacted.

To apply the update and verify:

/scripts/upcp /usr/local/cpanel/cpanel -V

Note that the update command typically requires the force flag to ensure completion. Since cPanel is closed source, no source level diff or commit has been published publicly; the patched binaries distributed through cPanel's update infrastructure are the sole delivery mechanism.

Affected Systems and Versions

The vulnerability affects cPanel and Web Host Manager version 120 and higher. Specifically, the following branches are vulnerable if running below the listed patched versions:

  • cPanel & WHM v124 branch: versions prior to 11.124.0.38
  • cPanel & WHM v126 branch: versions prior to 11.126.0.59
  • cPanel & WHM v130 branch: versions prior to 11.130.0.23
  • cPanel & WHM v132 branch: versions prior to 11.132.0.32
  • cPanel & WHM v134 branch: versions prior to 11.134.0.26
  • cPanel & WHM v136 branch: versions prior to 11.136.0.10
  • WP Squared: versions prior to 11.136.1.12

Branches below version 120 are not affected. Any installation where the cpdavd service is reachable by untrusted networks is at risk.

Vendor Security History

May 2026 has been a particularly active month for cPanel security disclosures. Alongside CVE-2026-29205, the vendor addressed two additional vulnerabilities in rapid succession:

  • CVE-2026-29201: Another arbitrary file read vulnerability, this time in the feature file loading mechanism, patched on May 8, 2026.
  • CVE-2026-29206: An SQL injection vulnerability in the sqloptimizer script, patched on the same day as CVE-2026-29205.

More critically, a separate authentication bypass vulnerability (CVE-2026-41940) has been under active exploitation by multiple threat actors. Attackers have leveraged that flaw to mass exploit vulnerable internet facing instances, breach servers, deface websites, and deploy ransomware. This broader context of active adversary interest in cPanel infrastructure makes prompt patching of CVE-2026-29205 especially important; exploit development for newly disclosed cPanel vulnerabilities is likely to be accelerated given the current threat actor focus on the platform.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization