A critical authentication bypass vulnerability in cPanel, a widely used web hosting control panel, is actively being exploited, security researchers and hosting providers have reported. The flaw, identified as CVE-2026-41940, poses a significant risk to systems running cPanel and WebHost Manager (WHM).
The vulnerability affects all supported versions of cPanel and WHM post version 11.40, along with WP Squared, a WordPress hosting panel built on cPanel. Security firm Rapid7 estimates around 1.5 million cPanel instances are exposed online, highlighting the potential scope of the threat. cPanel released a patch on Tuesday, but exploitation was already occurring in the wild.
Understanding the cPanel Authentication Bypass Vulnerability
According to cybersecurity firm watchTowr, the vulnerability arises from improper handling of user input during the login process. cPanel writes user request data into a server-side session file before full authentication. An attacker can insert hidden line break characters into the password field of a login request. These characters are not stripped by cPanel, allowing arbitrary data to be injected into the session file.
In a subsequent step, a malformed request can move this injected data into the session’s active cache. The system then misinterprets this data as legitimate authentication information, bypassing the need for actual credential verification. This allows attackers to gain unauthorized access.
Detection and Mitigation Efforts
cPanel has provided a detection script to help administrators scan session files for signs of compromise. Indicators include injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. WatchTowr has also released a tool to help administrators confirm if their systems are vulnerable.
Leading domain registrar and hosting provider Namecheap took proactive measures by temporarily blocking access to cPanel and WHM ports 2083 and 2087. This action aimed to protect customer accounts while awaiting an official fix. The company began applying the patch once it became available.
The released patches by cPanel address the vulnerability across multiple version branches, from 11.110.0 through 11.136.0, and WP Squared version 11.136.1. The company’s advisory indicates the fix sanitizes potentially harmful input during the core session-saving process. Additionally, the patch includes improved handling for missing per-session encryption keys, which attackers previously exploited to bypass password encoding.
This critical authentication bypass vulnerability has been assigned a CVSS score of 9.8, indicating a severe security risk. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate action for federal agencies.
The immediate next step for hosting providers and administrators is to apply the patches released by cPanel. Continued monitoring for unusual login activity and reviewing system logs for indicators of compromise will be crucial. The full impact of the exploitation period before the patch was made available is still being assessed.