- New critical severity vulnerability allows authentication bypass
- The vulnerability affects cPanel and WebHost Manager
- Attackers can gain full root administrator rights over any server
Researchers at watchTowr Labs have dissected a critical authentication bypass in cPanel and Web Host Manager (WHM) that allows remote attackers to gain full admin access over servers that much of the Internet depends on.
The vulnerability, tracked as CVE-2026-41940 and given a severity of nearly 9.8, has been exploited in the wild, as confirmed by KnownHost.
A patch for the vulnerability has been released, and administrators are encouraged to apply the patch immediately.
The article continues below
For those unaware, cPanel is a layer of software that essentially acts as the control panel of a website. Instead of using code, cPanel is the button that allows you to update some text or upload a file to a website. cPanel is also where the layout and data of your website is stored. WHM on the other hand is what handles each website at the server level.
The core of the vulnerability lies in the attacker forging an authenticated session without requiring a password. This gives the attacker root-level access to WHM and thus access to every website, database and user account hosted on that server.
From here there are many options for an attacker. They could steal all your website and user data, upload malware – or they could simply delete everything on the server.
As explained by watchTowr Labs (in their characteristically quirky format), the exploit relies on the attacker using CRLF (Carriage Return Line Feed) to inject a new line of code into the cPanel log that bypasses session file encryption and establishes the attacker as the root administrator, giving the attacker access to the WHM admin panel and thus access to the server. (If you want an even more technical breakdown, check out the watchTowr Labs report).
The patch for the vulnerability also added a new ‘sanitization’ feature that scrubs any data you send to the server, preventing new lines of code from being sneaked in.
For administrators, cPanel recommends updating to the following versions:
- cPanel & WHM 110.0.x – patched in 11.110.0.97 (was 11.110.0.96)
- cPanel & WHM 118.0.x – patched in 11.118.0.63 (was 11.118.0.61)
- cPanel & WHM 126.0.x – patched in 11.126.0.54 (was 11.126.0.53)
- cPanel & WHM 132.0.x – patched in 11.132.0.29 (was 11.132.0.27)
- cPanel & WHM 134.0.x – patched in 11.134.0.20 (was 11.134.0.19)
- cPanel & WHM 136.0.x – patched in 11.136.0.5 (was 11.136.0.4)
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
