A critical authentication bypass vulnerability, tracked as CVE-2026-41940, has been disclosed in cPanel & WHM, one of the most widely used web hosting control panel platforms. The vulnerability affects multiple supported cPanel & WHM versions and could allow an unauthenticated remote attacker to gain unauthorized access to the control panel.
The vulnerability has been assigned a CVSS 4.0 score of 9.3 Critical by VulnCheck, and NVD lists the CVSS 3.1 score as 9.8 Critical, with a network-based attack vector, low attack complexity, no required privileges, and no user interaction required.
Technical Details
CVE-2026-41940 is an authentication bypass vulnerability affecting the cPanel & WHM login flow. Vulnerable versions contain a flaw that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
The issue is categorized as CWE-306: Missing Authentication for Critical Function, meaning that a sensitive function or access path may be reachable without proper authentication enforcement.
The vendor advisory states that the issue affects “various authentication paths” in currently supported versions of cPanel software. While full technical exploit details have not been publicly documented in the vendor advisory, the impact is significant because the vulnerable component is part of the authentication layer itself.
In practical terms, successful exploitation could allow an attacker to access cPanel or WHM interfaces without valid credentials. From there, the attacker may be able to interact with hosted accounts, modify websites, access files, alter DNS or email settings, manage databases, or make configuration changes depending on the privileges obtained.
This risk is especially serious for hosting providers, managed service providers, web agencies, and organizations that expose cPanel/WHM management interfaces to the internet.
Patched Versions
To mitigate the risk, organizations should update to one of the following patched versions:
| Product | Patched Version |
| cPanel & WHM | 11.110.0.97 |
| cPanel & WHM | 11.118.0.63 |
| cPanel & WHM | 11.126.0.54 |
| cPanel & WHM | 11.132.0.29 |
| cPanel & WHM | 11.134.0.20 |
| cPanel & WHM | 11.136.0.5 |
| WP Squared | 11.136.1.7 |
cPanel recommends running the following command to force an update:
/scripts/upcp –force
Administrators can confirm the installed version with:
/usr/local/cpanel/cpanel -V
If the output matches one of the patched versions listed above, the system has received the update.
Exploitation Risk
Security teams should assume that internet-exposed cPanel/WHM instances will be quickly scanned following public disclosure. Authentication bypass vulnerabilities in administrative interfaces are commonly prioritized by attackers because they can provide direct access to sensitive systems without requiring credential theft, phishing, or prior compromise.
Recommendations
- Administrators should first identify all cPanel and WHM instances, confirm their installed versions, and apply the forced update where needed. Any unsupported cPanel server should be considered potentially exposed and prioritized for upgrade or isolation, as cPanel warns that unsupported versions may also be affected and may not be eligible for the update.
- Where immediate patching is not possible, restrict access to cPanel and WHM management interfaces using VPN, firewall allowlists, trusted administrative IP ranges, or temporary port blocking. This should be viewed only as a temporary risk reduction measure, not a replacement for patching.
- After patching, organizations should review recent administrative activity for signs of unauthorized access. This includes checking account creation, password changes, privilege changes, file modifications, DNS changes, email configuration changes, database access, cron jobs, and suspicious uploads across hosted accounts.
Stay Safe. Stay Secure
OP Innovate Research Team
