Introduction
An authentication bypass in cPanel and WHM's login flow, disclosed on April 28, 2026, allows unauthenticated remote attackers to walk straight into the control panel without credentials. With cPanel estimated to power anywhere from 22 percent to over 94 percent of the web hosting control panel market, the scope of exposure here is difficult to overstate: we are talking about a single vulnerability that could grant administrative access to the infrastructure behind millions of hosted websites, databases, and mail servers.
The severity of CVE-2026-41940 is reflected in its CVSS 3.1 base score of 9.8 and CVSS 4.0 score of 9.3. The industry response was immediate. Namecheap, one of the largest hosting providers, declared an emergency maintenance event and proactively blocked control panel ports across their infrastructure while patches were rolled out.
Technical Information
Root Cause: Missing Authentication for Critical Function (CWE-306)
CVE-2026-41940 is classified under CWE-306, which designates a Missing Authentication for Critical Function. The root cause lies within the login flow of both cPanel and WHM applications. Vendor changelogs tracked the underlying issue as internal identifier CPANEL-52908, and the description points to improper session loading and saving mechanisms. The WP Squared release notes independently corroborate that CPANEL-52908 specifically addresses an issue with login authentication.
In practical terms, the authentication paths within the control panel contained a logic error that allowed session states to be manipulated in a way that bypassed standard credential verification. The vendor's advisory confirms the flaw resided in "various authentication paths" within the control panel, suggesting the issue was not confined to a single endpoint but rather affected the shared session handling logic used across multiple login interfaces.
Attack Vector and Exploitation Flow
The attack surface is the network interfaces used for control panel access:
- TCP port 2083: cPanel user interface
- TCP port 2087: WHM (Web Host Manager) administrative interface
The exploitation flow, based on available intelligence, works as follows:
-
Target identification: The attacker identifies a cPanel or WHM instance exposed on port 2083 or 2087. These ports are standard and easily discoverable through network scanning.
-
Crafted request to login endpoint: The attacker sends specially crafted requests to the login endpoints on these ports. No valid credentials are required.
-
Session state manipulation: The crafted requests exploit the improper session loading and saving mechanisms. The logic error in the authentication paths allows the attacker to establish or hijack a session without completing the normal credential verification process.
-
Administrative access achieved: With a valid session established through the bypass, the attacker gains unauthorized access to the control panel with the privileges associated with that session. This can include full administrative access to WHM, which controls all hosted accounts on the server.
The attack requires no prior authentication, no user interaction, and can be executed remotely over the network. This combination of factors is what drives the near-maximum CVSS score.
Scope of Impact
Successful exploitation gives an attacker access to the full capabilities of the control panel. Through cPanel and WHM, this includes the ability to create, modify, or delete hosting accounts; access and modify all hosted websites and databases; read and send email through hosted mail accounts; modify DNS records; install software; and execute commands on the underlying server. A compromised WHM instance effectively means full server compromise.
Patch Information
On April 28, 2026, cPanel issued an emergency security update addressing CVE-2026-41940 across all six active release branches simultaneously. Because cPanel is proprietary software, no public source code commit or diff is available; the fix is delivered as updated proprietary builds through cPanel's own update mechanism.
The patched builds eliminate the logic error in the authentication paths that allowed unauthenticated remote attackers to bypass the login flow. The following table lists the minimum safe version for each release branch:
| Release Branch | Patched Version |
|---|---|
| 11.110.x | 11.110.0.97 |
| 11.118.x | 11.118.0.63 |
| 11.126.x | 11.126.0.54 |
| 11.132.x | 11.132.0.29 |
| 11.134.x | 11.134.0.20 |
| 11.136.x | 11.136.0.5 |
Additionally, WP Squared (a cPanel derived product) is affected, with versions below 11.136.1.7 requiring an update.
To apply the fix, administrators should run the forced update command on the server:
/scripts/upcp --force
This triggers an immediate pull of the latest patched build for whichever release branch the server is tracking. There is no selective or granular patch; the entire cPanel and WHM package is updated to the fixed build number.
Important caveat: Servers running unsupported (end of life) cPanel versions will not receive this update through the normal channel, yet they are very likely also vulnerable. For those environments, upgrading to a supported branch is the only path to remediation.
If immediate patching is not feasible, organizations should apply strict firewall rules to block external access to TCP ports 2083 and 2087. This is the exact workaround that major hosting providers, including Namecheap, used during their emergency maintenance windows to prevent exploitation before patches could be fully deployed. This will temporarily restrict access to the control panel interfaces but effectively neutralizes the remote attack vector.
Affected Systems and Versions
The following cPanel and WHM versions are confirmed vulnerable:
- cPanel and WHM 11.110: All versions prior to 11.110.0.97
- cPanel and WHM 11.118: All versions prior to 11.118.0.63
- cPanel and WHM 11.126: All versions prior to 11.126.0.54
- cPanel and WHM 11.132: All versions prior to 11.132.0.29
- cPanel and WHM 11.134: All versions prior to 11.134.0.20
- cPanel and WHM 11.136: All versions prior to 11.136.0.5
- WP Squared 11.136: All versions prior to 11.136.1.7
Servers running end of life cPanel versions that are no longer in the supported release train are also very likely vulnerable but will not receive patches through the standard update mechanism.
The vulnerable interfaces are specifically the cPanel web interface on TCP port 2083 and the WHM administrative interface on TCP port 2087.
Vendor Security History
cPanel maintains a highly active security maintenance posture. Recent changelogs document rapid responses to a range of security issues, including Insecure Direct Object Reference flaws, cross site scripting vulnerabilities, and updates to bundled third party components such as Roundcube and PHP. The same day release of patches across six active branches for CVE-2026-41940 is consistent with this track record. The internal tracking identifier CPANEL-52908 for this specific issue appears in both the official cPanel changelogs and the WP Squared release notes, indicating coordinated disclosure and remediation across derived products.
References
- NVD: CVE-2026-41940
- cPanel and WHM Security Update 04/28/2026
- VulnCheck Advisory: cPanel and WHM Authentication Bypass via Login Flow
- cPanel and WHM Release Notes
- cPanel 134 Change Log
- WP Squared Changelog
- Namecheap Status: Critical Security Vulnerability in cPanel, April 28, 2026
- watchTowr Rapid Reaction: cPanel Authentication Bypass
