If you run WHMCS and haven’t updated in the past week, stop reading and go do that first. Back? Good. Here’s what you just patched.
What the Vulnerability Is
On 12 May 2026, WHMCS published CVE-2026-29204 — an authorization bypass rooted in clientarea.php. The flaw is textbook IDOR (Insecure Direct Object Reference, classified as CWE-639): when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services.
The vulnerability was disclosed responsibly through HackerOne’s bug bounty program. HackerOne, acting as the CVE Numbering Authority, assigned a CVSS 3.1 score of 10.0 CRITICAL (vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). WHMCS’s own advisory is slightly more nuanced — it states that exploitation requires a valid, authenticated client-area session — but either way, any paying customer on your platform is a potential threat actor against other paying customers. That’s about as bad as billing system vulnerabilities get.
The NVD entry also notes that a successful exploit can reach the victim’s cPanel account, not just their WHMCS service record. On a typical shared-hosting setup where WHMCS provisions cPanel accounts automatically, that escalation path is very short indeed.
Who Is Affected
Every WHMCS installation from version 7.4.0 onward is vulnerable:
- All 7.x builds from 7.4.0 through the end of the 7.x line
- All 8.x builds prior to 8.13.3
- All 9.x builds prior to 9.0.4
WHMCS is not backporting a fix to the 7.x branch because it is end-of-life. If you are still on 7.x, the only remediation is upgrading to a supported release.
The Fix (and the Workaround)
WHMCS released 8.13.3 and 9.0.4 on 13 May 2026 to address this issue. Update via the standard WHMCS updater or by downloading from download.whmcs.com.
If you cannot update immediately, WHMCS published a temporary workaround: add the following block to configuration.php before any closing ?> tag:
if (isset($_REQUEST['addonId'])) {
die('This has been disabled.');
}
This disables all custom module commands for product addons in the Client Area. Your customers may see a generic error for legitimate addon actions, which is a tolerable trade-off for the time it takes you to schedule maintenance. Remove this block after upgrading.
WHMCS Cloud-hosted installations were automatically patched and require no action.
Checking Whether You’ve Been Hit
WHMCS recommends reviewing your Activity Log for unexpected Single Sign-On events or service access requests where the originating user does not match the account owner. That kind of cross-account SSO entry is the clearest indicator of active exploitation.
A community workaround was reportedly circulating before the official patch landed, which means the window between public knowledge and exploitation is narrower than usual. If you’re running an unpatched installation right now and your activity log shows anomalies, treat it as a confirmed incident rather than a maybe.
What This Means for kalfaoglu.net Customers
kalfaoglu.net manages WHMCS on behalf of its hosted clients, so customer-facing WHMCS installations are already updated. You do not need to take any action on the billing portal itself.
However, if you run your own independent WHMCS installation — for example if you white-label hosting services to your own clients — you need to patch now. The attack surface is your entire client list: any one client could theoretically enumerate and access service records belonging to other clients, including cPanel credentials provisioned through the WHMCS API.
More broadly, this vulnerability is a good reminder to treat your WHMCS installation with the same urgency as your web server or mail stack. Billing software sits at the intersection of financial data, authentication credentials, and provisioning APIs. A compromise there is rarely contained.
Summary
| CVE | CVE-2026-29204 |
| Affected versions | WHMCS 7.4.0 through 8.13.2 / 9.0.3 |
| Fixed in | WHMCS 8.13.3 and 9.0.4 |
| CVSS 3.1 | 10.0 CRITICAL (HackerOne CNA) |
| Published | 12 May 2026 |
| Workaround | Block addonId in configuration.php |
Update the software. Check the activity log. Remove the workaround code if you applied it. That’s the whole to-do list.