A severe security flaw in cPanel and WebHost Manager (WHM) is being actively exploited, and has been for months. Tracked as CVE-2026-41940 with a CVSS score of 9.8 out of 10, the vulnerability affects all currently supported versions of both products. A patch arrived on April 28, 2026 — but by then, attackers had already been using the flaw as a zero-day since at least February.
What cPanel and WHM are
cPanel is the control panel most web hosting customers use to manage websites, databases, email accounts, file transfers, and domains. WHM sits above it as the server-level administrative interface, with root access to every hosting account on the machine, plus SSL certificates and server-wide security settings.
Between them, cPanel and WHM run an estimated 70 million domains. Security firm watchTowr described the access they provide plainly: "The keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom were the internet and the apartments were websites."
What the vulnerability does
CVE-2026-41940 is a Carriage Return Line Feed (CRLF) injection flaw in the login and session loading processes of cPanel and WHM. The software fails to sanitize user-supplied input during authentication, which lets an attacker bypass the login check entirely and gain root access.
The attack requires only a few steps. An attacker submits a failed login to generate a session cookie. They then send a follow-up request with a crafted header containing a privilege escalation instruction. In unpatched versions, stripping a specific hex value prevents the normal encryption of user-supplied data from running, so the plaintext root-access command passes through as trusted code. The resulting session cookie gives the attacker full administrative access — no valid password needed.
Rapid7 confirmed the CRLF injection root cause in its own advisory. watchTowr published a detailed technical breakdown showing exactly how session files are written before authentication and without sanitization, making the exploit path straightforward to reproduce once you know where to look.
Zero-day exploitation confirmed
KnownHost CEO Daniel Pearson stated that his company observed exploitation attempts as early as February 23, 2026 — more than two months before the patch existed. Eye Security found over 2 million cPanel instances exposed to the internet, though how many of those had auto-update enabled at the time of disclosure is not known.
The window between first exploitation and public patch was long enough that some servers may already be compromised without their administrators knowing.
What an attacker can do with access
With cPanel access, an attacker can read and modify files and databases, steal credentials from configuration files, plant backdoors or web shells, redirect visitors to malicious sites, and send phishing or spam email from the compromised domain.
WHM access is worse. It covers the entire server. An attacker can create persistent backdoor accounts, delete legitimate hosting accounts, use the server as a proxy, or deploy malware and botnet infrastructure across every site the server hosts.
The patch and affected versions
cPanel released fixes on April 28, 2026. The patched versions are:
- 110.0.x → 11.110.0.97
- 118.0.x → 11.118.0.63
- 126.0.x → 11.126.0.54
- 132.0.x → 11.132.0.29
- 134.0.x → 11.134.0.20
- 136.0.x → 11.136.0.5
The fix also covers WP Squared version 136.1.7, a WordPress hosting panel built on cPanel. Only versions after 11.40 are affected, but servers running older unsupported builds will receive no patch and need to upgrade their entire environment.
How hosting providers responded
Namecheap blocked TCP ports 2083 and 2087 — the ports cPanel and WHM use — as an emergency measure while the patch was prepared and deployed. InMotion Hosting did the same. Both providers confirmed that websites, email, and applications remained online throughout; only direct control panel logins were cut off.
By April 29 at 02:42 UTC, Namecheap confirmed the fix was applied across its Reseller and Stellar Business servers.
What to do now
Patch immediately. Run /scripts/upcp --force as root to force the update. After patching, restart the cpsrvd service as cPanel recommends.
Verify the version number. Confirm the server reflects one of the patched versions listed above before assuming it is safe.
If patching is not immediately possible, block external access to ports 2083, 2087, 2095, and 2096. Stopping the cpsrvd and cpdavd services removes the attack surface temporarily.
Check for compromise. cPanel published a detection script to identify indicators of exploitation. watchTowr also released a Detection Artifact Generator for the same purpose. If compromise is found: purge all sessions, reset every credential, audit access logs, and investigate persistence mechanisms.
Restrict access going forward. Enforce multi-factor authentication and limit WHM access to trusted IP addresses only.
Sources: BleepingComputer, The Register, watchTowr Labs, The Hacker News, Rapid7, Namecheap, InMotion Hosting