CVE-2026-41940 cPanel & WHM Authentication Bypass Overview and Takeaways
cPanel has disclosed a critical authentication bypass vulnerability affecting cPanel & WHM and WP Squared, tracked as CVE-2026-41940 (CVSS 9.8). The flaw allows a remote, unauthenticated attacker to gain root-level administrative access by injecting arbitrary values into a server-side session file, effectively bypassing all credential checks.
This vulnerability has been actively exploited in the wild prior to patch release, and a public proof-of-concept is now available. Immediate remediation is essential for all organizations running vulnerable versions.
What do I need to know?
- CVE: CVE-2026-41940
- Severity: Critical (CVSS 9.8)
- Root Cause: Missing Authentication for Critical Function (CWE-306)
- Attack Vector: Network – No authentication or user interaction required
Products and Systems Affected
Affected Products:
- cPanel & WHM
- 11.86.0.x: All versions prior to 11.86.0.41 → Fixed in 11.86.0.41
- 11.110.0.x: All versions prior to 11.110.0.97 → Fixed in 11.110.0.97
- 11.118.0.x: All versions prior to 11.118.0.63 → Fixed in 11.118.0.63
- 11.126.0.x: All versions prior to 11.126.0.54 → Fixed in 11.126.0.54
- 11.132.0.x: All versions prior to 11.132.0.29 → Fixed in 11.132.0.29
- 11.134.0.x: All versions prior to 11.134.0.20 → Fixed in 11.134.0.20
- 11.136.0.x: All versions prior to 11.136.0.5 → Fixed in 11.136.0.5
- WP Squared 136.1.x: All versions prior to 136.1.7 → Fixed in 136.1.7
What do I need to do?
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit
- Identify all cPanel & WHM and WP Squared instances within your environment.
- Confirm installed versions against the list above.
- Check whether auto-update is enabled and confirm patched builds are installed.
- Review logs for activity on cPanel & WHM ports (2082, 2083, 2086, 2087, 2095, 2096, 2077, 2078). Look for failed login attempts immediately followed by active sessions from the same source IP, which may indicate exploitation.
- Treat any unpatched internet-facing instance as potentially compromised and forward logs to your SIEM for investigation.
Patch Immediately
- Apply the fixed version for your release branch as listed.
- Refer to cPanel Security Advisory for guidance.
- Details are available in the cPanel & WHM Release Notes and Change Logs.
Mitigation (If Patching Is Delayed)
- Restrict inbound access to cPanel & WHM administrative ports (2082, 2083, 2086, 2087, 2095, 2096, 2077, 2078) to trusted IP ranges only.
- These interfaces should never be exposed to the public internet.
NetSPI Product and Services Coverage
NetSPI’s External Attack Surface Management service has released detections for this vulnerability. Detection name:
Vulnerable Version – cPanel & WHM – Authentication Bypass (CVE-2026-41940)
NetSPI’s Penetration Testing Services can also help identify exposure to this vulnerability.
Additional Resources
Explore More Blog Posts
Phishing with Misfortune Cookies
Phishing is about creativity. The less likely your target is to think about a link being potentially malicious, the more likely you are to have success. Read how our creative Social Engineering experts ruined free cookies in the break room.
CVE-2026-9082 Drupal Core PostgreSQL SQL Injection Overview and Takeaways
A critical vulnerability in Drupal Core, tracked as CVE-2026-9082, affects Drupal deployments using a PostgreSQL database. The issue allows unauthenticated attackers to perform arbitrary SQL queries via crafted JSON:API or search queries. Successful exploitation may result in full database compromise or remote code execution.
Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security
Explore the intricacies of UEFI security with exploration into emulation, dynamic analysis, and the LogoFail vulnerability. Learn how subtle input manipulations can expose critical firmware weaknesses.