Image source: IB Photography, Shutterstock
Here’s what you need to know about CVE-2026-41940, the flaw that attackers have used to compromise some 44K IPs so far.
Threat actors are actively exploiting a near maximum-severity flaw in the widely used cPanel/WHM web hosting control panel powering some 70 million domains worldwide. cPanel disclosed the flaw on April 28, along with fixes for the vulnerability on April 28 after researchers at watchTowr Labs reported the issue to them. The flaw has stoked considerable concern because it allows attackers to gain root level access on compromised systems. Threat actors have already compromised some 44,000 Ips via the flaw so far. Here’s what you need to know.
What is CVE-2026-41940?
A critical authentication bypass vulnerability (CVSS 9.8) in cPanel & WHM affecting versions after 11.40. The flaw allows unauthenticated remote attackers to bypass login and gain administrative (root-level) access.
What is cPanel ?
cPanel is a widely used web-based control panel for managing Linux-based web hosting environments. It lets users manage websites, domains, email, databases, and files from a single interface. WHM (WebHost Manager) is its administrative counterpart, providing server-level management and tools for resellers. cPanel/WHM power hosting for roughly 70 million domains worldwide.
How does CVE-2026-41940 work?
CVE-2026-41940 stems from a CRLF injection flaw in the login and session handling logic. An attacker can inject crafted input into backend logbook/session processing to corrupt or forge server-side session data. The flaw allows attackers to bypass session protections and create valid admin sessions without credentials.
What is the impact?
An attacker who exploits the flaw can gain full administrative access to the server, allowing them to read or modify data, control hosted websites and databases, change configurations, deploy malware, or potentially take over the entire system.
Which versions are affected?
cPanel and WHM versions after 11.40 up to the patched releases. This includes nearly all currently supported versions.
Why is this vulnerability so serious?
The flaw enables unauthenticated attackers to gain full administrative access without credentials, effectively giving them complete control over the server and all hosted accounts.
Does this affect shared hosting customers?
Yes. Because hosting providers use cPanel/WHM to manage shared hosting environments, a successful attack can impact all accounts hosted on a compromised server.
Is this a server-side or client-side issue?
The vulnerability is server-side and affects how cPanel/WHM processes login and session data. It does not require user interaction.
Is it being exploited in the wild?
Yes. Researchers report that exploitation began before public disclosure and may date back to early 2026, making it effectively a zero-day. Attacks targeting cPanel/WHM CVE-2026-41940 have so far compromised some 44K IPs, according to ShadowServer Foundation.
Has it been patched?
Yes. cPanel released fixes on April 28, 2026. Update to 11.86.0.41, 11.110.0.97, or later.
What should I do right now?
- Immediately update cPanel & WHM to the latest patched version.
- If you cannot update right away, restrict access to cPanel/WHM ports (e.g., 2082/2083/2086/2087) or use WAF rules.
- Monitor logs for suspicious login activity.
- Rotate credentials/API tokens, Invalidate sessions.
Are there public exploits?
Yes. Technical analysis and proof-of-concept exploit code were published shortly after disclosure.
How can I detect compromise?
Look for unexpected admin sessions, unusual log entries, unauthorized configuration changes, or new accounts created without approval. On May 1, cPanel released an updated version of its detection script. This version “addresses scenarios where false positives were being detected,” according to the company.
Is a WAF enough?”
No. While WAF rules may help reduce exposure, patching is required to fully remediate the vulnerability.