-
Attackers exploited the critical cPanel authentication bypass as a zero-day since late February, before the vendor released a fix on April 28.
-
The CRLF injection flaw allows login without any password – this gives attackers full control over cPanel host systems, databases, and all hosted websites.
-
Approximately 1.5 million cPanel instances remain exposed online, and administrators unable to patch immediately should block external access to certain ports.
Since late February, a serious security vulnerability in cPanel and WHM has enabled attackers to bypass authentication. The vulnerability, tracked as CVE-2026-41940, affects millions of web hosting control panels exposed online.
The bug involves a CRLF injection issue in the login and session loading processes; attackers can exploit it without needing any valid password. Security researchers confirmed active exploitation in the wild before cPanel released an official fix.
The hosting provider KnownHost reported seeing execution attempts as early as February 23, 2026. The company’s CEO stated that successful exploits occurred before any patch became available.
Attackers can gain full control over hosted websites
Security firm Rapid7 warns that successful exploitation grants attackers complete control over the cPanel host system. This includes access to configurations, databases, and every website managed through the panel.
According to watchTowr researchers, the flaw stems from improper session handling. User-controlled input from the Authorization header writes directly into server-side session files before authentication completes. The system does not perform proper sanitization on this input.
WatchTower published a detailed technical analysis showing how attackers can trigger the bug. The researchers explained that an attacker can log into the system without validating any password. This analysis essentially provides a working exploit blueprint.
The lapse also affects WP Squared, a management panel for WordPress hosting built on cPanel. Unlike initial statements, only versions of cPanel released after version 11.40 suffer from this security issue.
Approximately 1.5 million cPanel instances are exposed online
Shodan internet scans reveal roughly 1.5 million cPanel instances remain exposed online. Security experts cannot determine exactly how many of these face vulnerability to CVE-2026-41940.
After some serious pressure from hosts, cPanel updated its software on April 28. As part of this process, Namecheap has blocked access to cPanel and WHM from ports 2083 and 2087 for all of their customers, as they want to ensure to protect those customers while cPanel releases patches.
cPanel then went on to suggest that customers should restart the ‘cpsrvd’ service after applying the new software release.
The affected and fixed versions include:
- cPanel/WHM versions prior to and up-to the updated 11.110.0 → patched in 11.110.0.97
- cPanel/WHM versions prior to and up-to the updated 11.118.0 → patched in 11.118.0.63
- cPanel/WHM versions prior to and up-to the updated 11.126.0 → patched in 11.126.0.54
- cPanel/WHM versions prior to and up-to the updated 11.132.0 → patched in 11.132.0.29
- cPanel/WHM versions prior to and up-to the updated 11.134.0 → patched in 11.134.0.20
- cPanel/WHM versions prior to and up-to the updated 11.136.0 → patched in 11.136.0.5
- WordPress Squared versions prior to and up to the updated 11.136.1 → patched in 11.136.1.7
Administrators should block external access until patching
In the event of any failures to patch the system immediately, administrators should block access externally to ports 2083, 2087, 2095, and 2096 until further notice. Another possible action is to stop both the cpsrvd and cpdavd internal core services (if applicable) until such time that an admin performs the patching.
Rapid7 has issued an urgent call to organizations regarding this security vulnerability due to the ability for external users to easily exploit the vulnerability as a way of gaining unauthorized access to hosted environments. Once inside, attackers will be able to access customer records, deface websites, and create a back door for re-entry.
cPanel has developed a detection script that will allow administrators to evaluate the current state of their server(s) for any signs of compromise. If there are any indicators of breach after analysis, some recommended responses may include terminating all active sessions, resetting all user credentials, thoroughly reviewing all log files, and investigating any persistence methods.
The importance of timely patching extends to mobile devices as well. Apple recently fixed a bug that exposed Signal messages via notification logs, reminding users and administrators alike that keeping software updated across all platforms (both servers and smartphones) is essential for maintaining security and privacy.
Also, the Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations to take immediate actions – they should reference the cPanel security advisory and implement the corresponding patches or workarounds.
