ResearchMay 2026 · 8 min read

CVE-2026-41940: The Critical cPanel Flaw That Put 1.5 Million Servers at Risk

Published by Pentesty · Vulnerability Analysis

If you run a web hosting environment, manage cPanel & WHM servers, or oversee infrastructure for clients, you need to stop what you're doing and read this.

On April 28, 2026, a critical authentication bypass vulnerability was publicly disclosed in cPanel & WHM. The CVE number is CVE-2026-41940, and the CVSS score is 9.8 out of 10. That means unauthenticated remote access to administrative panels. No credentials required. No social engineering needed.

Roughly 1.5 million internet-facing cPanel instances may be vulnerable right now. And it gets worse: there is credible evidence suggesting that zero-day exploitation was already happening as early as February 23, 2026. That is over two months before the patch was released.

By the time the CVE went public, attackers may have already been inside.

What Is CVE-2026-41940?

The vulnerability is a CRLF injection flaw in cPanel's session loading process.

CRLF stands for Carriage Return Line Feed. These are the \r\n characters used to separate lines in HTTP headers and many file formats. When input containing these characters is not properly sanitized, an attacker can inject arbitrary data into files that the application later parses as legitimate content.

In this specific case, the attack works like this:

The attacker sends a specially crafted request to the cPanel login process
The CRLF injection causes the session file to be written with attacker-controlled properties
The attacker injects user=root into the session file
cPanel reads the session and grants administrative access with no password required

The result is full root-level control over the cPanel server, all hosted websites, databases, email accounts, and configuration files. That is the kind of failure OWASP catalogs under broken access control and identification failures — see our developer's guide to the OWASP Top 10 for how those classes show up in everyday code.

Who Is Affected?

All versions after cPanel & WHM 11.40 are vulnerable, until the following patched releases:

Version Branch	Fixed In
11.86.0	11.86.0.41
11.110.0	11.110.0.97
11.118.0	11.118.0.63
11.126.0	11.126.0.54
11.130.0	11.130.0.19
11.132.0	11.132.0.29
11.134.0	11.134.0.20
11.136.0	11.136.0.5
WP Squared	136.1.7

If you are running any version outside these patched releases, your server is exposed right now.

The Hidden Timeline: Zero-Day Exploitation Before Disclosure

One of the most troubling parts of this story is the suspected exploitation window.

Researchers believe active exploitation may have started around February 23, 2026. The public disclosure came on April 28. That is a 64-day gap during which attackers could silently compromise cPanel servers while defenders had no idea the vulnerability existed.

This is exactly why reactive security fails. By the time a CVE is published, the damage may already be done.

It is also why proactive scanning matters. Tools like Pentesty.co continuously check your infrastructure using thousands of updated Nuclei templates, including checks for authentication bypass vulnerabilities, and deliver professional reports in under 10 minutes. You do not have to wait for a CVE to go public to know you have a problem. For more on why waiting for advisories is not enough, see why your pentest report may be lying to you — and how to prioritize what actually gets fixed.

How to Mitigate CVE-2026-41940

Step 1: Update Immediately

This is not optional. Update cPanel & WHM to the patched version for your branch. There is no legitimate reason to delay this.

/usr/local/cpanel/scripts/upcp --force

Check your current version with:

cat /usr/local/cpanel/version

Step 2: Restrict Access to cPanel Ports

While not a permanent fix, you can reduce your attack surface by blocking public access to cPanel's administrative ports:

TCP 2083 for the cPanel user interface
TCP 2087 for the WHM administrative interface

Use your firewall or CSF to whitelist only trusted IP ranges:

csf -a YOUR_TRUSTED_IP

Step 3: Review Session Files and Access Logs

If you suspect exploitation already occurred, check your session files and access logs for anomalies:

# Check cPanel session files for suspicious entries
grep -r "user=root" /var/cpanel/sessions/

# Review WHM access logs
tail -n 1000 /usr/local/cpanel/logs/access_log | grep -i "2087"

Look for root-level sessions initiated from unexpected IP addresses, especially any activity between late February and late April.

Step 4: Audit All Hosted Sites

If your server was potentially exposed during that window, assume every hosted site may have been compromised. Look for new admin accounts in WordPress or other CMS platforms, modified .htaccess files, web shells in public_html directories, and unauthorized DNS changes.

Why CRLF Injection Keeps Coming Back

CRLF injection is not a new vulnerability class. It has been documented for decades. Yet it keeps showing up in production software because input sanitization is often incomplete, developers catch obvious attack patterns but miss edge cases, and file-based session storage creates additional risk compared to database-backed sessions.

Legacy codebases with long histories accumulate technical debt in security-critical areas. And without automated testing running continuously, these flaws persist for months or years without detection.

This is why regular vulnerability assessments are not a nice-to-have. A single CVE like this one can undo years of infrastructure investment.

Key Takeaways

CVE-2026-41940 is a CVSS 9.8 authentication bypass in cPanel & WHM that requires no credentials to exploit. Around 1.5 million servers may be vulnerable. Exploitation likely started two months before public disclosure. Update to the patched version for your branch now, implement network-level restrictions as a secondary control, and audit session logs and hosted sites for signs of compromise.

Staying ahead of vulnerabilities like CVE-2026-41940 requires more than reading advisories. It requires continuous assessment. Pentesty.co automates penetration testing with 8,000+ Nuclei templates and delivers professional PDF reports in minutes, not days. Find your exposures before attackers do.

Related on Pentesty

OWASP Top 10: The Developer's Guide to Not Getting Hacked →

Broken access control and authentication failures in practice — the same classes this CVE abuses at the platform layer.

Why Your Pentest Report Is Lying to You →

How to read assessments for signal, not noise — so critical issues do not drown in scanner output.

The Udemy breach & ShinyHunters →

When platforms at massive scale leak identity data, extortion and downstream credential abuse follow the same playbook.

BTG Pactual & financial data security →

High-trust sectors still need outside-in visibility — especially when suppliers expand the blast radius.

Rockstar refused ransom; data leaked anyway →

Extortion is not only a hosting problem — it is a business decision under pressure, with or without encryption keys.

Inside ShinyHunters: extortion playbook →

Why unpatched edge infra matters in the same campaigns that end in pay-or-leak deadlines.

TL;DR

·CVE-2026-41940 is a CVSS 9.8 CRLF injection leading to unauthenticated admin access in cPanel & WHM.

·Roughly 1.5M internet-facing instances may be affected; exploitation may predate public disclosure by months.

·Update to the patched build for your version branch immediately; restrict 2083/2087 to trusted IPs as defense in depth.

·Hunt for user=root in session files and suspicious WHM access between late February and late April 2026.

·Assume hosted sites may be compromised if exposed during the window — audit CMS accounts, .htaccess, and web shells.

Questions about continuous scanning or report quality? Request early access to Pentesty.

CVE-2026-41940cPanelWHMAuthentication BypassCRLF InjectionWeb Hosting SecurityPatch Management

Back to Blog