Hackers have been actively exploiting a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), software used by millions of websites worldwide, for months before its public disclosure. Tracked as CVE-2026-41940 with a severity score of 9.8 out of 10, the flaw affects all currently supported versions after 11.40 and even some end-of-life releases, allowing unauthenticated attackers to gain full administrative control over hosting servers.
The vulnerability stems from flawed session validation logic in the login process. As explained by cybersecurity researchers, before authentication, the cPanel service daemon writes a pre-authentication session file to disk. Attackers can manipulate the authorization header or cookies—using techniques like CRLF injection—to inject malicious credentials into this file in plaintext, then reload it to bypass login checks entirely. TechCrunch reported that web hosts are scrambling to patch systems under ongoing attacks, with one company confirming abuse since at least February 2026, when it operated as a zero-day.
cPanel disclosed the issue on April 28, 2026, and released emergency patches within hours, urging users to run a manual update command immediately. Companies like Cloudflare quickly deployed Web Application Firewall (WAF) rules to block exploitation attempts related to CVE-2026-41940. Hosting providers such as Namecheap took drastic measures, temporarily blocking access to cPanel ports 2083 and 2087 to shield customers until patches were available, as noted in their customer alerts.
The stakes are extraordinarily high given cPanel's ubiquity—Shodan scans reveal about 1.5 million internet-exposed instances. Successful attacks grant root-level access to servers, enabling hackers to control websites, databases, emails, and configurations. They could install backdoors, deploy web shells, steal sensitive files or credentials, send spam, redirect traffic to phishing sites, or pivot into customer networks, according to analyses from Rapid7 and Hadrian.
Compromised cPanel accounts affect individual hosting users by exposing sites and data, while WHM breaches endanger entire servers and all hosted sites. cPanel provides a detection script to scan for signs of compromise, such as sessions with invalid tokens, pre-authenticated attributes, or password fields containing newlines. WatchTowr Labs tested the flaw on versions like 11.110.0.96 (unpatched) and 11.110.0.97 (patched), confirming its reliability.
Web hosts and administrators must prioritize patching, as exploitation continues in the wild. cPanel also updated related products like WP Squared to version 136.1.7. Ongoing monitoring for indicators of compromise remains essential, with experts warning that unpatched systems face persistent risk from automated scans and targeted attacks.