On April 28, 2026, cPanel released an emergency patch for CVE-2026-41940 — a CVSS 9.8 authentication bypass that, as it turned out, attackers had been quietly exploiting since approximately February 23. That is roughly two months of zero-day exposure across an estimated 1.5 million internet-facing cPanel & WHM instances. CISA promptly added it to its Known Exploited Vulnerabilities catalog, which is the agency’s way of saying: stop reading and go patch.
What the Bug Actually Does
The vulnerability lives in the login and session-loading code of cPanel & WHM. The root cause is a failure to sanitize CRLF sequences (\r\n) in a malicious HTTP Basic Authorization header.
Here is the short version of how it works: cPanel writes session data to disk when a user authenticates. An attacker who sends a crafted Authorization header containing raw carriage-return/line-feed characters can inject arbitrary key-value pairs into that session file before it is written. By injecting user=root, the attacker ends up with a session that cPanel believes belongs to the root administrative account — without having supplied any credentials at all.
The whostmgrsession cookie is the other piece of the puzzle. The attack omits a segment of the expected cookie value in a way that causes the encryption step to be skipped entirely, leaving the session data exposed to manipulation. The net result is unauthenticated remote root-equivalent access to WHM.
Rapid7 and watchTowr both published detailed breakdowns worth reading if you manage your own servers.
Who Is Affected
Every cPanel & WHM installation running a version after v11.40 is affected. That covers essentially every production cPanel server in existence. The patched builds are:
| Branch | Patched version |
|---|---|
| 110.0.x | 11.110.0.97 |
| 118.0.x | 11.118.0.63 |
| 126.0.x | 11.126.0.54 |
| 132.0.x | 11.132.0.29 |
| 134.0.x | 11.134.0.20 |
| 136.0.x | 11.136.0.5 |
WP Squared (a managed WordPress platform built on cPanel) is separately affected at version v136.1.7.
cPanel’s automatic update mechanism should have deployed the patch to eligible servers by April 29. That said, “should have” is doing a lot of work in a sentence about a zero-day. If you manage a server and haven’t verified the running version, do it now.
The Two-Month Gap
The detail that deserves emphasis is the timeline. Active exploitation began around February 23, and cPanel’s public advisory didn’t drop until April 28. That is sixty-four days during which anyone running cPanel was exposed to a trivially exploitable authentication bypass without knowing it.
How attackers used that window is still being investigated. The most obvious risk is full server takeover: with root-equivalent WHM access, an attacker can exfiltrate databases, plant backdoors, reconfigure mail routing, or simply hand access to someone else. Picus Security’s writeup notes that the impact extends to all sites, email accounts, and DNS zones managed by the compromised WHM instance.
If your server was reachable from the internet during that period and automatic updates were not enabled, assume breach until you can prove otherwise. Review WHM access logs, look for unexpected cron jobs or SSH keys, and consider a full audit before declaring it clean.
What This Means for kalfaoglu.net Customers
All servers managed by kalfaoglu.net run with automatic cPanel updates enabled. The emergency patch (released April 28, applied April 29) was deployed automatically across our infrastructure within the update window.
We are conducting log reviews across our managed server fleet to look for any indicators of exploitation prior to the patch date. If we identify anything of concern, we will contact affected customers directly.
If you manage your own VPS or dedicated server independently: check your WHM version under Home → cPanel → Update Preferences, verify your running build matches one of the patched versions in the table above, and enable automatic security updates if you haven’t already. An unpatched cPanel server exposed to the internet at this point is an unnecessary risk.
The Bigger Picture
CVE-2026-41940 is a reminder that control panels have a large attack surface and a privileged position on the server. A bug in a web framework or CMS typically means one website is at risk. A bug in WHM means every website, every email account, and every database on that machine is at risk simultaneously.
This is not an argument against using cPanel — it is an argument for keeping it patched and for not leaving WHM port (2087) openly accessible from the entire internet. Restricting WHM access to known IP addresses, or at minimum putting it behind a VPN or firewall rule, significantly reduces your exposure window when the next zero-day surfaces. And there will be a next one.