CVE-2026-41940

CVE-2026-41940 is a critical-severity vulnerability in Cpanel with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-30). The underlying weakness is classified as CWE-306.

Key facts

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVE-2026-41940: cPanel & WHM Authentication Bypass in Login Flow

AI-generated analysis based on the vulnerability data on this page.

CVE CVSS v3 CVSS v4 EPSS CWE KEV
CVE-2026-41940 9.8 (Critical) 9.3 (Critical) 0.981 CWE-306 Yes (2026-04-30)

Summary

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow. An unauthenticated remote attacker can exploit this flaw to gain unauthorized access to the control panel, effectively bypassing the entire authentication boundary.

Background

cPanel and WHM are widely deployed web hosting control panels used to manage web servers, domains, email accounts, and databases. The login flow is the primary security gate for administrative access. A vulnerability in this flow is especially dangerous because it exposes the full surface area of the control panel to any attacker who can reach the web interface.

Root Cause

The vulnerability is classified as CWE-306: Missing Authentication for Critical Function. The login flow in affected versions fails to enforce proper authentication checks under certain conditions, allowing an attacker to access the control panel without valid credentials. This implies a logic error or state-management flaw in the authentication pipeline rather than a memory corruption issue.

Impact

The CVSS v3 score of 9.8 and CVSS v4 score of 9.3 reflect a Critical severity:

  • Attack Vector: Network — exploitable remotely over the internet.
  • Attack Complexity: Low — no special conditions or advanced techniques are required.
  • Privileges Required: None — the attacker needs no prior account or credentials.
  • User Interaction: None — fully automated exploitation is possible.
  • Scope: Unchanged — the vulnerable component is the only one affected.
  • Confidentiality, Integrity, Availability: All rated High — successful exploitation can lead to full compromise of the managed server, including data exfiltration, configuration tampering, and service disruption.

Exploitation Walkthrough

Ethics caveat: This section describes the attack surface from a defender’s perspective. No weaponized exploit code is provided, and the information is intended to support detection and hardening only.

The flaw exists in the web-based login flow of cPanel/WHM. An attacker can send crafted HTTP requests to the login endpoint that bypass the credential-validation step. Because the attack requires no authentication and no user interaction, it can be carried out at scale by automated scanning tools. Defenders should assume that any internet-facing cPanel/WHM instance running an affected version is actively being probed.

Affected and Patched Versions

The NVD record lists the following vulnerable products:

  • cPanel
  • WHM
  • WP Squared

Specific patched version numbers are not explicitly stated in the available structured data. cPanel released a security update on 2026-04-28. Administrators should apply the latest vendor patch and verify their install via the official cPanel support portal.

Remediation

  1. Upgrade immediately: Apply the cPanel security update released on 2026-04-28. Verify the patch level through the official release notes or cPanel support portal.
  2. Restrict network exposure: Limit cPanel/WHM access to trusted IP ranges via firewall rules or VPN enforcement. Do not expose the login interface to the open internet unless absolutely necessary.
  3. Multi-factor authentication (MFA): Enforce MFA for all cPanel/WHM accounts as a compensating control. Note that MFA may not fully mitigate this specific bypass if the flaw occurs before the MFA challenge is reached, so patching remains the primary fix.
  4. Monitor for unauthorized access: Review access logs for anomalous logins, especially from unexpected geolocations or during off-hours.

Detection

  • Monitor web server logs for unusual HTTP requests to /login or equivalent authentication endpoints that do not follow the normal login sequence (e.g., missing or malformed credential parameters followed by successful session establishment).
  • Look for rapid sequential requests from single IPs that may indicate automated scanning.
  • Correlate cPanel authentication logs with external threat intelligence feeds that flag CVE-2026-41940 activity.
  • Deploy network intrusion detection signatures that detect known probing patterns for this vulnerability.

Assessment

With an EPSS score of 0.981 (98.1% probability of exploitation) and a KEV entry dated 2026-04-30, this vulnerability is not merely theoretical — it is being actively exploited in the wild. The EU vulnerability database also flags it as exploited since 2026-04-30. The combination of a trivial attack path, maximum severity rating, and confirmed in-the-wild exploitation makes this one of the most urgent patching items for hosting providers in 2026.

Key lessons:

  1. Authentication bypass flaws in widely exposed admin interfaces are high-value targets for mass exploitation.
  2. A strong patch-management cadence for control-panel software is essential when EPSS and KEV signals converge at this level.

References

Frequently asked questions

What is CVE-2026-41940?
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
How severe is CVE-2026-41940?
CVE-2026-41940 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-41940 being actively exploited?
Yes. CVE-2026-41940 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-30, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2026-41940?
CVE-2026-41940 primarily affects Cpanel. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2026-41940?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2026-41940 have an EU (EUVD) identifier?
Yes. CVE-2026-41940 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-26246. It is also flagged as exploited in the EUVD (since 2026-04-30).
When was CVE-2026-41940 published?
CVE-2026-41940 was published on 2026-04-29 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Cpanel

All CVEs affecting Cpanel →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →