Zero-day vulnerability in cPanel exploited for months before patch release (CVE-2026-41940)

Critical vulnerability in cPanel exploited for months before patch

A serious authentication bypass vulnerability (CVE-2026-41940) in cPanel, a popular web control panel for managing hosting accounts, has been exploited by attackers in the wild. Even more concerning, attackers did not have to wait for the technical details to be published by WatchTowr researchers: they were observed exploiting CVE-2026-41940 as early as February 23, likely abusing the flaw even earlier.

Technical details of the vulnerability

cPanel, typically provided by shared hosting companies, is one of the most widely used control panels. WHM (Web Host Manager) is used by hosting providers to manage multiple cPanel accounts on a server. CVE-2026-41940 stems from the lack of authentication for a critical function and allows remote unauthenticated attackers to gain unauthorized access to the control panel.

According to Ryan Emmons, a researcher at Rapid7, "before authentication occurs, cpsrvd (the cPanel service daemon) writes a new session file to disk. The vulnerability allows an attacker to manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, thus bypassing the encryption process typically applied to a value provided by the attacker."

Attackers can inject malicious \r\n characters via a basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as user=root, into their own session file. After triggering a session reload from the file, the attacker establishes administrative-level access for their token.

Exploitation in the wild and vulnerability disclosure

WebPros International L.L.C., the company that develops cPanel, published a security advisory for CVE-2026-41940 on April 28 and released security updates a few hours later. According to Daniel Pearson, CEO of KnownHost, a managed hosting provider, they were notified around the same time. They immediately began blocking access ports to WHM/cPanel across the KnownHost network and then started implementing security updates.

Other hosting providers took similar measures. The disclosure timeline for CVE-2026-41940 is a bit confusing. According to a source at webhosting.today, the vulnerability "had been reported to cPanel about two weeks before the public advisory on April 28, and (...) cPanel's initial response was that there was nothing wrong."

It is unclear whether the reporter was aware of the exploitation in the wild. It is equally uncertain why WebPros did not communicate the existence of such a critical vulnerability to hosting providers earlier and did not provide mitigation steps while working on fixes.

What to do?

CVE-2026-41940 affects all versions of cPanel and WHM after v11.40 and WP Squared v136.1.7, a managed WordPress hosting platform built on cPanel. As Emmons of Rapid7 noted, "successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and the websites it manages."

Shodan shows approximately 1.5 million cPanel instances exposed to the Internet (though it is unknown how many of these are vulnerable). The security advisory recommends updating to a corrected version of cPanel, verifying the cPanel build version, and restarting the cPanel service (cpsrvd).

Mitigation measures include blocking incoming traffic on ports 2083, 2087, 2095, and 2096 at the firewall and stopping the cpsrvd and cpdavd services. The company has also provided a script for customers to look for known indicators of compromise.

According to Pearson, "at least in our network and in the cases I've reviewed, any exploitation has resulted in 'let's see if it works' and then there have been no further changes/attempts beyond that." He added that after a thorough review, they will contact anyone who has been involved directly, but stated that he has not seen signs of any active compromise, injected payloads, or anything else other than confirmation of access.

Recent updates

On May 1, 2026, CISA added CVE-2026-41940 to its list of known exploited vulnerabilities. The Shadowserver Foundation also began reporting observed exploitation attempts in the wild. These developments underscore the urgency for affected systems to be patched as soon as possible.