CVE-2026-41940: Authentication Bypass in cPanel & WHM
Active exploitation confirmed in the wild. CISA added this to the KEV catalog on 2026-04-30. Federal agencies must patch by 2026-05-03. Known ransomware campaigns exploit this vulnerability.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-41940 |
| CVSS score | 9.8 (Critical) |
| Attack vector | Unknown (assume remote, internet-exposed risk) |
| Auth required | None (unauthenticated) |
| Patch status | Vendor advisory exists (04/28/2026). Confirm patched versions. |
TL;DR - Critical auth bypass in cPanel & WHM login flow affecting versions after 11.40. - Confirmed exploited in the wild (CISA KEV) with known ransomware usage; treat as emergency. - Validate your installed build against the cPanel Security Update 04/28/2026 and upgrade immediately.
Vulnerability at a Glance
CVE-2026-41940 is an authentication bypass affecting WebPros cPanel & WHM. This vulnerability allows unauthenticated remote attackers to gain unauthorized access to the control panel, impacting versions after 11.40. This is critical because cPanel/WHM serves as the administrative interface for shared hosting and server management, making it a high-impact initial access vector.
Technical Notes
- Class: Authentication bypass / missing authentication
- Location: Login flow
- Impact: Unauthorized control panel access without credentials
- Affected range: “Versions after 11.40”
Source: NVD CVE description for CVE-2026-41940.
What Is This Vulnerability?
An “authentication bypass in the login flow” indicates that the software’s authentication boundary can be circumvented. Attackers may exploit this vulnerability to gain access without valid credentials. Given that cPanel & WHM interfaces are often internet-facing, this vulnerability poses a significant risk, especially for hosting providers and SMBs.
Technical Notes
Assume the bypass can be exploited over the same interfaces used for legitimate sign-ins. Even if your cPanel/WHM is not publicly advertised, it can be discovered through scanning and default configurations.
Who Is Affected?
The affected products include:
- WebPros cPanel & WHM — explicitly called out by NVD and CISA KEV.
- WP2 (WordPress Squared) — named in the CISA KEV entry.
The affected version range is “cPanel and WHM versions after 11.40”. Confirm the exact fixed version/build number in the full cPanel advisory.
Technical Notes
To check the installed cPanel version, use:
cat /usr/local/cpanel/version 2>/dev/null || true
/usr/local/cpanel/cpanel -V 2>/dev/null || true
CVSS Score Breakdown
NVD reports a CVSS v3.x base score of 9.8 (Critical) for CVE-2026-41940. This score indicates a remote, unauthenticated access scenario with high impact. Treat this as a same-day remediation item, especially given the KEV status and known ransomware usage.
Technical Notes
Document uncertainty in your risk register regarding the exact CVSS vector fields.
Exploitation Status
Confirmed exploitation in the wild: CVE-2026-41940 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating real-world exploitation.
Known ransomware campaign use: The KEV entry confirms that this vulnerability is being exploited as an initial access vector in ransomware operations.
Technical Notes
Assume functional exploit tooling exists privately given KEV and ransomware linkage.
How to Detect It
Detection can be challenging as authentication bypass attempts may resemble successful logins. Focus on unexpected successful authentication events and administrative actions from unfamiliar networks.
Technical Notes
Use generic detection patterns to identify suspicious activity:
index=proxy OR index=waf
(uri_path="*login*" OR uri_path="*/login/*")
| stats count by src_ip, uri_path
| where count > 20
Mitigation and Patching
Primary remediation is to upgrade to vendor-fixed builds. Confirm exact fixed versions in the cPanel advisory:
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
If immediate patching isn’t possible, restrict access to management interfaces and verify MFA if applicable.
Technical Notes
Assumption-based upgrade command:
/usr/local/cpanel/scripts/upcp
What to Do Next
- Identify exposed cPanel/WHM/WP2 instances and prioritize them for patching.
- Patch to the vendor-fixed builds as defined in the cPanel security update.
- Perform post-patch validation to look for signs of unauthorized access.
Technical Notes
Minimal compromise assessment starting points:
grep -Ei 'useradd|usermod|passwd' /var/log/auth.log
ss -tpn
find /home -maxdepth 4 -type f -mtime -7 -name "*.php"
References
- cPanel advisory: cPanel Security Update
- CISA KEV catalog: CISA KEV
- VulnCheck advisory: VulnCheck Advisory
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.