Summary
A significant authentication bypass in cPanel & WHM and WP Squared, CVE–2026-41940, allows unauthenticated attackers to obtain admin access by exploiting session management vulnerabilities. CRLF injection and incorrect session reloading are examples of inappropriate session processing that can convert crafted requests into authenticated sessions. Since at least late February 2026, the vulnerability has been actively exploited; considerable attack activity was recorded upon disclosure. Due to its pre-auth nature and broad use of cPanel, it is considered highly severe.
Urgent Actions Required
- Update cPanel & WHM and WP Squared to patched versions immediately.
- Run the cPanel detection script to check for compromise indicators.
- Remove suspicious session files from cPanel session storage.
- Rotate passwords, API tokens, SSH keys, and related credentials if needed.
- Review logs for unusual authentication and access activity.
- Restrict or block cPanel/WHM management ports until patched.
- Look for anything like cron tasks, new users, or DNS/config changes that are persistent.
Which Systems Are Vulnerable to CVE-2026-41940?
Technical Overview
- Vulnerability Type:
Authentication Bypass via Session Handling and CRLF Injection in Session Processing - Affected Software/Versions:
- cPanel & WHM (all versions after 11.40 prior to fixed builds)
- WP Squared (vulnerable prior to 136.1.7)
- Affected branches include: 11.86.0, 11.110.0, 11.118.0, 11.126.0, 11.130.0, 11.132.0, 11.134.0, 11.136.0 (prior to patched releases)
- Attack Vector: Network (HTTP/HTTPS via exposed cPanel/WHM interfaces such as login endpoints and management ports)
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability:
Yes, available
CVE-2026-41940: Response, Actions and Next Steps | cPanel
Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026 – cPanel
How Does the CVE-2026-41940 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-41940?
Vulnerability Root Cause:
The problem arises from cPanel & WHM’s unsafe session management, which permits attacker-controlled information to be inserted into session files using CRLF injection and incorrect validation. The injected data may be seen as legitimate authentication when these sessions are refreshed, allowing illegal administrator access.
How Can You Mitigate CVE-2026-41940?
If immediate patching is delayed or not possible:
- When possible, block or limit access to cPanel/WHM management ports (2083, 2087, 2095, and 2096).
- Run the cPanel detection script to identify potential compromise indicators in session data.
- Review and remove suspicious session files from cPanel session storage directories.
- Monitor unusual login and session activity.
- Remove suspicious cron jobs, users, or config changes.
- Rotate exposed passwords, tokens, and SSH keys.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- cPanel & WHM server installations
- WP Squared deployments
- Web hosting control panel environments exposed via internet-accessible management ports
- Business-Critical Systems at Risk:
- Hosted websites managed through cPanel
- Email systems hosted on cPanel servers
- DNS configurations controlled via WHM
- Databases and stored application data on shared hosting servers
- Administrative and reseller hosting accounts
- Exposure Level:
- Internet-facing cPanel/WHM login interfaces (commonly ports 2083 and 2087)
- Publicly reachable shared hosting infrastructure
- Servers with exposed management services allowing remote HTTP access
- Multi-tenant hosting environments where a single server hosts multiple customer accounts
Will Patching CVE-2026-41940 Cause Downtime?
Patch application impact: Low downtime but requires urgent upgrade and service restart for cPanel & WHM and WP Squared systems.
Mitigation (if immediate patching is not possible): Temporary blocking of ports 2083, 2087, 2095, 2096 may reduce exposure, but only patching and restart fully resolves the issue.
How Can You Detect CVE-2026-41940 Exploitation?
Indicators of Compromise (IOCs/IOAs):
- Unusual CRLF patterns or injected newline characters in cPanel session files
- Session attributes showing elevated values (e.g., root-level flags or pre-auth sessions becoming authenticated)
- Sessions originating from failed login attempts later appearing as fully authenticated admin sessions
- Unexpected 307 redirects to /cpsess* endpoints without valid login flow
- Access to WHM/cPanel functions without prior successful authentication
Alerting Strategy:
- Priority: Critical
- Trigger on abnormal session creation followed by privilege escalation indicators in session data
- Flag authentication bypass patterns where failed login requests precede admin-level session access
- Alert on unexpected administrative API access via /cpsess tokens or WHM endpoints
Remediation & Response
- Remediation Timeline:
- Immediate: Upgrade cPanel & WHM and WP Squared to vendor-fixed versions across all affected servers
- Within hours: Restart cpsrvd service after patch deployment to activate fixes
- Within 24 hours: Verify all systems are on patched builds and review detection results for compromise
- Rollback Plan:
- Reverting is not recommended; remediation requires staying on patched versions
- If issues occur, coordinate with hosting provider for controlled service restart and validated stable build
- Incident Response Considerations:
- During the investigation, isolate the impacted cPanel/WHM servers to prevent additional unauthorized access.
- Preserve and analyze session data from /var/cpanel/sessions/raw/ and /var/cpanel/sessions/cache/
- Review logs for unusual authentication attempts and abnormal session creation patterns
- After patching, perform credential rotation (root, WHM, API tokens, SSH keys, email accounts) and remove suspicious sessions and persistence artifacts
Compliance & Governance Notes
- Audit Trail Requirement:
- Log results of cPanel’s official detection script for compromise review
- Record patch deployment status for affected cPanel & WHM and WP Squared systems
- Maintain records of system version before and after applying fixed builds
- Policy Alignment:
- Enforce upgrading to vendor-fixed cPanel & WHM and WP Squared versions
- Require use of official detection guidance for compromised session validation
- Ensure systems are updated promptly to fixed releases to reduce exposure window
See How Fidelis Deception® Detects Attackers Early
-
-
- Learn how decoys and lures expose attacker activity
- Gain insights with high-fidelity deception alerts
-
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical severity authentication bypass in cPanel & WHM |
| Attack Vector | Network | Exploitable remotely via HTTP/HTTPS on exposed management services |
| Attack Complexity | Low | Exploitation achievable using crafted HTTP requests and headers |
| Privileges Required | None | No authentication required to exploit the flaw |
| User Interaction | None | No user action required |
| Scope | Unchanged | Impact remains within the cPanel/WHM system boundary |
| Confidentiality Impact | High | Full access to hosted data, credentials, and session information |
| Integrity Impact | High | Ability to modify system configurations, accounts, and hosted content |
| Availability Impact | High | Full control of server can disrupt hosted services and environments |
References:
