CVE-2026-41940
CVE-2026-41940 is a critical-severity vulnerability in Cpanel with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-30). The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v4: 9.3
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-04-30)
- EU (EUVD) id: EUVD-2026-26246
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-04-30)
- Weakness: CWE-306
- Affected product: Cpanel
- Published:
- Last modified:
Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVE-2026-41940: cPanel & WHM Authentication Bypass in Login Flow
AI-generated analysis based on the vulnerability data on this page.
| CVE | CVSS v3 | CVSS v4 | EPSS | CWE | KEV |
|---|---|---|---|---|---|
| CVE-2026-41940 | 9.8 (Critical) | 9.3 (Critical) | 0.981 | CWE-306 | Yes (2026-04-30) |
Summary
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow. An unauthenticated remote attacker can exploit this flaw to gain unauthorized access to the control panel, effectively bypassing the entire authentication boundary.
Background
cPanel and WHM are widely deployed web hosting control panels used to manage web servers, domains, email accounts, and databases. The login flow is the primary security gate for administrative access. A vulnerability in this flow is especially dangerous because it exposes the full surface area of the control panel to any attacker who can reach the web interface.
Root Cause
The vulnerability is classified as CWE-306: Missing Authentication for Critical Function. The login flow in affected versions fails to enforce proper authentication checks under certain conditions, allowing an attacker to access the control panel without valid credentials. This implies a logic error or state-management flaw in the authentication pipeline rather than a memory corruption issue.
Impact
The CVSS v3 score of 9.8 and CVSS v4 score of 9.3 reflect a Critical severity:
- Attack Vector: Network — exploitable remotely over the internet.
- Attack Complexity: Low — no special conditions or advanced techniques are required.
- Privileges Required: None — the attacker needs no prior account or credentials.
- User Interaction: None — fully automated exploitation is possible.
- Scope: Unchanged — the vulnerable component is the only one affected.
- Confidentiality, Integrity, Availability: All rated High — successful exploitation can lead to full compromise of the managed server, including data exfiltration, configuration tampering, and service disruption.
Exploitation Walkthrough
Ethics caveat: This section describes the attack surface from a defender’s perspective. No weaponized exploit code is provided, and the information is intended to support detection and hardening only.
The flaw exists in the web-based login flow of cPanel/WHM. An attacker can send crafted HTTP requests to the login endpoint that bypass the credential-validation step. Because the attack requires no authentication and no user interaction, it can be carried out at scale by automated scanning tools. Defenders should assume that any internet-facing cPanel/WHM instance running an affected version is actively being probed.
Affected and Patched Versions
The NVD record lists the following vulnerable products:
- cPanel
- WHM
- WP Squared
Specific patched version numbers are not explicitly stated in the available structured data. cPanel released a security update on 2026-04-28. Administrators should apply the latest vendor patch and verify their install via the official cPanel support portal.
Remediation
- Upgrade immediately: Apply the cPanel security update released on 2026-04-28. Verify the patch level through the official release notes or cPanel support portal.
- Restrict network exposure: Limit cPanel/WHM access to trusted IP ranges via firewall rules or VPN enforcement. Do not expose the login interface to the open internet unless absolutely necessary.
- Multi-factor authentication (MFA): Enforce MFA for all cPanel/WHM accounts as a compensating control. Note that MFA may not fully mitigate this specific bypass if the flaw occurs before the MFA challenge is reached, so patching remains the primary fix.
- Monitor for unauthorized access: Review access logs for anomalous logins, especially from unexpected geolocations or during off-hours.
Detection
- Monitor web server logs for unusual HTTP requests to
/loginor equivalent authentication endpoints that do not follow the normal login sequence (e.g., missing or malformed credential parameters followed by successful session establishment). - Look for rapid sequential requests from single IPs that may indicate automated scanning.
- Correlate cPanel authentication logs with external threat intelligence feeds that flag CVE-2026-41940 activity.
- Deploy network intrusion detection signatures that detect known probing patterns for this vulnerability.
Assessment
With an EPSS score of 0.981 (98.1% probability of exploitation) and a KEV entry dated 2026-04-30, this vulnerability is not merely theoretical — it is being actively exploited in the wild. The EU vulnerability database also flags it as exploited since 2026-04-30. The combination of a trivial attack path, maximum severity rating, and confirmed in-the-wild exploitation makes this one of the most urgent patching items for hosting providers in 2026.
Key lessons:
- Authentication bypass flaws in widely exposed admin interfaces are high-value targets for mass exploitation.
- A strong patch-management cadence for control-panel software is essential when EPSS and KEV signals converge at this level.
References
- https://docs.cpanel.net/release-notes/release-notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
- https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
- https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940
Frequently asked questions
- What is CVE-2026-41940?
- cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
- How severe is CVE-2026-41940?
- CVE-2026-41940 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-41940 being actively exploited?
- Yes. CVE-2026-41940 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-30, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2026-41940?
- CVE-2026-41940 primarily affects Cpanel. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-41940?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2026-41940 have an EU (EUVD) identifier?
- Yes. CVE-2026-41940 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-26246. It is also flagged as exploited in the EUVD (since 2026-04-30).
- When was CVE-2026-41940 published?
- CVE-2026-41940 was published on 2026-04-29 and last updated on 2026-06-17.
References
- https://docs.cpanel.net/release-notes/release-notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
- https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
- https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
- https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940
Affected products (3)
- cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*
- cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*
More vulnerabilities in Cpanel
- CVE-2004-1769 — Critical (CVSS 10.0): The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x,…
- CVE-2004-1770 — Critical (CVSS 10.0): The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via…
- CVE-2003-1425 — Critical (CVSS 10.0): guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter.
- CVE-2020-26108 — Critical (CVSS 9.8): cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488).
- CVE-2020-26105 — Critical (CVSS 9.8): In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554).
- CVE-2020-26101 — Critical (CVSS 9.8): In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549).
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →