CVE-2026-41940 cPanel & WHM Authentication Bypass Overview and Takeaways
cPanel has disclosed a critical authentication bypass vulnerability affecting cPanel & WHM and WP Squared, tracked as CVE-2026-41940 (CVSS 9.8). The flaw allows a remote, unauthenticated attacker to gain root-level administrative access by injecting arbitrary values into a server-side session file, effectively bypassing all credential checks.
This vulnerability has been actively exploited in the wild prior to patch release, and a public proof-of-concept is now available. Immediate remediation is essential for all organizations running vulnerable versions.
What do I need to know?
- CVE: CVE-2026-41940
- Severity: Critical (CVSS 9.8)
- Root Cause: Missing Authentication for Critical Function (CWE-306)
- Attack Vector: Network – No authentication or user interaction required
Products and Systems Affected
Affected Products:
- cPanel & WHM
- 11.86.0.x: All versions prior to 11.86.0.41 → Fixed in 11.86.0.41
- 11.110.0.x: All versions prior to 11.110.0.97 → Fixed in 11.110.0.97
- 11.118.0.x: All versions prior to 11.118.0.63 → Fixed in 11.118.0.63
- 11.126.0.x: All versions prior to 11.126.0.54 → Fixed in 11.126.0.54
- 11.132.0.x: All versions prior to 11.132.0.29 → Fixed in 11.132.0.29
- 11.134.0.x: All versions prior to 11.134.0.20 → Fixed in 11.134.0.20
- 11.136.0.x: All versions prior to 11.136.0.5 → Fixed in 11.136.0.5
- WP Squared 136.1.x: All versions prior to 136.1.7 → Fixed in 136.1.7
What do I need to do?
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit
- Identify all cPanel & WHM and WP Squared instances within your environment.
- Confirm installed versions against the list above.
- Check whether auto-update is enabled and confirm patched builds are installed.
- Review logs for activity on cPanel & WHM ports (2082, 2083, 2086, 2087, 2095, 2096, 2077, 2078). Look for failed login attempts immediately followed by active sessions from the same source IP, which may indicate exploitation.
- Treat any unpatched internet-facing instance as potentially compromised and forward logs to your SIEM for investigation.
Patch Immediately
- Apply the fixed version for your release branch as listed.
- Refer to cPanel Security Advisory for guidance.
- Details are available in the cPanel & WHM Release Notes and Change Logs.
Mitigation (If Patching Is Delayed)
- Restrict inbound access to cPanel & WHM administrative ports (2082, 2083, 2086, 2087, 2095, 2096, 2077, 2078) to trusted IP ranges only.
- These interfaces should never be exposed to the public internet.
NetSPI Product and Services Coverage
NetSPI’s External Attack Surface Management service has released detections for this vulnerability. Detection name:
Vulnerable Version – cPanel & WHM – Authentication Bypass (CVE-2026-41940)
NetSPI’s Penetration Testing Services can also help identify exposure to this vulnerability.
Additional Resources
Explore More Blog Posts
I’m Just Asking Questions: Social Engineering as a Reporter
Dive into this real-world social engineering assessment where a fake anonymous tip and an adversary-in-the-middle framework tested the limits of an organization's security policies.
Beyond the Hype: What Regulated Industries Need to Know Before Trusting AI Security Tooling
AI security tools can build an attack, but enterprise security teams in regulated industries need consistency, auditability, and predictable costs before they can trust one. Learn why the surrounding infrastructure is where most AI security vendors are still falling short.
Splunk Enterprise Unauthenticated Arbitrary File Operations/RCE (CVE-2026-20253): Overview and Takeaways
Splunk disclosed CVE-2026-20253 on June 10, 2026, affecting Splunk Enterprise versions in the 10.0.x and 10.2.x branches. The flaw stems from a PostgreSQL sidecar service endpoint that completely lacks authentication controls (CWE-306), allowing any network-reachable attacker to invoke arbitrary file creation or truncation operations without credentials.