CVE-2026-41940 cPanel & WHM Authentication Bypass Overview and Takeaways

cPanel has disclosed a critical authentication bypass vulnerability affecting cPanel & WHM and WP Squared, tracked as CVE-2026-41940 (CVSS 9.8). The flaw allows a remote, unauthenticated attacker to gain root-level administrative access by injecting arbitrary values into a server-side session file, effectively bypassing all credential checks. 

This vulnerability has been actively exploited in the wild prior to patch release, and a public proof-of-concept is now available. Immediate remediation is essential for all organizations running vulnerable versions. 

What do I need to know? 

• CVE: CVE-2026-41940 
• Severity: Critical (CVSS 9.8) 
• Root Cause: Missing Authentication for Critical Function (CWE-306) 
• Attack Vector: Network – No authentication or user interaction required 

Products and Systems Affected 

Affected Products:  

• cPanel & WHM  
  • 11.86.0.x: All versions prior to 11.86.0.41 → Fixed in 11.86.0.41 
  • 11.110.0.x: All versions prior to 11.110.0.97 → Fixed in 11.110.0.97 
  • 11.118.0.x: All versions prior to 11.118.0.63 → Fixed in 11.118.0.63 
  • 11.126.0.x: All versions prior to 11.126.0.54 → Fixed in 11.126.0.54 
  • 11.132.0.x: All versions prior to 11.132.0.29 → Fixed in 11.132.0.29 
  • 11.134.0.x: All versions prior to 11.134.0.20 → Fixed in 11.134.0.20 
  • 11.136.0.x: All versions prior to 11.136.0.5 → Fixed in 11.136.0.5 
• WP Squared 136.1.x: All versions prior to 136.1.7 → Fixed in 136.1.7 

What do I need to do? 

We recommend the following steps to identify and remediate this vulnerability: 

Review and Audit 

• Identify all cPanel & WHM and WP Squared instances within your environment. 
• Confirm installed versions against the list above. 
• Check whether auto-update is enabled and confirm patched builds are installed. 
• Review logs for activity on cPanel & WHM ports (2082, 2083, 2086, 2087, 2095, 2096, 2077, 2078). Look for failed login attempts immediately followed by active sessions from the same source IP, which may indicate exploitation. 
• Treat any unpatched internet-facing instance as potentially compromised and forward logs to your SIEM for investigation. 

Patch Immediately 

• Apply the fixed version for your release branch as listed. 
• Refer to cPanel Security Advisory for guidance. 
• Details are available in the cPanel & WHM Release Notes and Change Logs. 

Mitigation (If Patching Is Delayed) 

• Restrict inbound access to cPanel & WHM administrative ports (2082, 2083, 2086, 2087, 2095, 2096, 2077, 2078) to trusted IP ranges only. 
• These interfaces should never be exposed to the public internet. 

NetSPI Product and Services Coverage 

NetSPI’s External Attack Surface Management service has released detections for this vulnerability. Detection name: 

Vulnerable Version – cPanel & WHM – Authentication Bypass (CVE-2026-41940) 

NetSPI’s Penetration Testing Services can also help identify exposure to this vulnerability. 

Additional Resources 

• NVD — CVE-2026-41940 
• cPanel Security Advisory 
• cPanel Release Notes 
• Changelog – WHM 136