ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-32993 — Unauthenticated HTTP Header Injection in cPanel & WHM via nova_error Endpoint

A short review of CVE-2026-32993, a high severity HTTP header injection vulnerability in cPanel & WHM that allows unauthenticated attackers to inject arbitrary response headers via the nova_error endpoint. Patch information and affected versions are included.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-32993 — Unauthenticated HTTP Header Injection in cPanel & WHM via nova_error Endpoint
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated endpoint in cPanel & WHM's web server daemon quietly accepted attacker controlled input and reflected it directly into HTTP response headers, opening the door to HTTP response splitting, cache poisoning, and cross site scripting. Given that cPanel powers hosting infrastructure for millions of websites worldwide, the blast radius of this flaw extends well beyond a single server.

CVE-2026-32993 carries a CVSS score of 8.3 and was disclosed alongside patches on May 13, 2026. The vulnerability sits in the /unprotected/nova_error endpoint of the cpsrvd service, where the status query parameter is insufficiently sanitized before being included in the HTTP response. No authentication is required to reach this endpoint, making it trivially accessible to any remote attacker.

Technical Information

Root Cause

The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers). The /unprotected/nova_error endpoint in the cpsrvd web server daemon accepts a status query parameter and reflects its value into the HTTP response headers. The problem is straightforward: the application does not validate or strip carriage return (\r, 0x0D) and line feed (\n, 0x0A) characters from the parameter value before incorporating it into the response.

Because the endpoint lives under the /unprotected/ path, it requires no authentication whatsoever. Any remote client can craft a request to this endpoint and supply a malicious status value.

Attack Flow

The exploitation of this vulnerability follows the well documented pattern of HTTP response splitting:

  1. Reconnaissance: The attacker identifies the /unprotected/nova_error endpoint on a target cPanel server. This endpoint is publicly accessible and requires no credentials.

  2. Crafting the payload: The attacker constructs a URL where the status query parameter contains CRLF sequences (%0d%0a) followed by attacker controlled HTTP headers. For example, injecting a Set-Cookie header, a Location header for redirection, or even a complete second HTTP response body.

  3. Injecting the response: When the cpsrvd daemon processes the request, it includes the unsanitized status value in the response headers. The CRLF characters terminate the current header line, and everything after them is interpreted by the HTTP client (or any intermediary proxy/cache) as additional headers or a new response body.

  4. Downstream exploitation: Depending on the attacker's goal, the injected content enables several attack scenarios:

    • Cache poisoning: If a caching proxy sits in front of the cPanel server, the attacker can poison the cache with a malicious response that is then served to other users.
    • Cross site scripting: By injecting a response body containing JavaScript, the attacker can execute scripts in the context of the victim's browser session with the cPanel domain.
    • Cross user defacement: The attacker can replace the visible page content for other users who receive the poisoned cached response.
    • Page hijacking: Redirecting users to attacker controlled domains via injected Location headers.

The unauthenticated nature of the endpoint is what elevates this from a moderate concern to a high severity issue. There is no credential barrier, no session requirement, and no rate limiting mentioned in the advisory that would slow down exploitation.

Broader Context

This vulnerability was disclosed on the same day that cPanel released patches for a total of five CVEs, some reaching high severity. Notably, the cPanel ecosystem is under active pressure from threat actors: a separate critical authentication bypass (CVE-2026-41940) is being exploited in the wild as a zero day with public proof of concept code available. While CVE-2026-32993 itself has no known exploitation at this time, the active targeting of cPanel infrastructure by attackers makes this a priority for patching.

Patch Information

cPanel published a security update on May 13, 2026, that directly addresses CVE-2026-32993 by fixing the improper sanitization within the cpsrvd web server daemon. The core issue was resolved by adding proper input validation and sanitization to strip or reject carriage return and line feed characters (and other header injection sequences) before the status value is reflected into the HTTP response headers.

Because cPanel & WHM is closed source software, no public code diff or commit is available. However, the vendor advisory confirms the fix has been backported across all three currently supported release branches:

ProductPatched Version (and higher)
cPanel & WHM (v132 branch)11.132.0.32
cPanel & WHM (v134 branch)11.134.0.26
cPanel & WHM (v136 branch)11.136.0.10
WP Squared11.136.1.12

The fact that three separate branch level builds were issued tells us that cPanel treated this as a critical fix worth cherry picking into every supported release tier, which underscores the severity of the unauthenticated attack surface.

To apply the patch, administrators should force an update on each affected server by running:

/scripts/upcp --force

Afterward, the installed version can be confirmed with:

/usr/local/cpanel/cpanel -V

The output should show a version number at or above the thresholds listed in the table. Servers configured for automatic updates on the RELEASE, CURRENT, or EDGE tiers will receive this fix without manual intervention, but administrators on the STABLE or LTS tiers (or those with updates paused) should verify they are running a patched build. The cPanel changelogs at docs.cpanel.net/changelogs/ can be consulted for build level details in each branch.

Affected Systems and Versions

The following products and version ranges are affected by CVE-2026-32993:

  • cPanel & WHM v132 branch: All versions prior to 11.132.0.32
  • cPanel & WHM v134 branch: All versions prior to 11.134.0.26
  • cPanel & WHM v136 branch: All versions prior to 11.136.0.10
  • WP Squared: All versions prior to 11.136.1.12

The vulnerable component is the cpsrvd web server daemon, specifically the /unprotected/nova_error endpoint. Any server running an affected version with the cpsrvd service exposed to the network is vulnerable. The endpoint requires no authentication, so network accessibility is the only prerequisite for exploitation.

Vendor Security History

The cPanel ecosystem has faced a notable concentration of security issues in the current period. Alongside CVE-2026-32993, cPanel released patches for a total of five CVEs on May 13, 2026, with severities reaching high. More significantly, a separate critical authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM is currently being actively exploited in the wild as a zero day, with proof of concept code publicly available. This pattern of concurrent vulnerabilities, including at least one under active exploitation, indicates sustained attacker interest in the cPanel platform and reinforces the importance of maintaining current patch levels across all cPanel deployments.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization