What is CVE-2026-41940?
CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel and WHM caused by a CRLF (Carriage Return Line Feed) injection in the login and session handling logic. An unauthenticated remote attacker can inject raw \r\n characters into a malicious basic authorization header, which cpsrvd then writes into a session file without sanitization.
By manipulating the whostmgrsession cookie to skip the per-session encryption step, the attacker can insert arbitrary properties such as user=root, hasroot=1, and successful_internal_auth_with_timestamp into their own session file. Reloading that session promotes the attacker to a fully authenticated administrator.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). No authentication, privileges, or user interaction are required, and the attack vector is fully network-based against any reachable cPanel or WHM management port.
The practical impact is total compromise of the host. A successful exploit grants administrative control of WHM, which on shared hosting infrastructure means control over every site, database, and email account the server hosts.
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog on May 1, 2026, with a remediation deadline of May 3, 2026 for federal agencies. Hosting provider KnownHost reports evidence that exploitation began as early as February 23, 2026, roughly two months before the public advisory and patch.
What assets are affected by CVE-2026-41940?
The vulnerability affects all supported versions of cPanel and WHM released after version 11.40, as well as WP Squared, a managed WordPress hosting platform built on cPanel. Patched releases span seven version branches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 136.1.7. Servers with auto-update disabled or pinned to a specific build will not patch automatically.
In practice, an affected asset is a cPanel or WHM management interface served by the cpsrvd daemon on TCP/2082, TCP/2083 (cPanel), TCP/2086, TCP/2087 (WHM), or TCP/2095, TCP/2096 (Webmail). These interfaces are typically reachable over the public internet because shared hosting customers, resellers, and operations teams need browser access to the panel. Public internet scanning data indicates approximately 1.5 million cPanel instances exposed on the open web, with the actual vulnerable population unknown but expected to be the majority of unpatched systems.
The asset profile is consistent across the exposed population: long-running web hosting servers, shared infrastructure operated by hosting providers and resellers, and individual organizations running their own cPanel boxes. Because cPanel is the management plane for a large share of the global hosting market, a single unpatched instance can represent control over hundreds or thousands of downstream sites.
What does our data show about exposure patterns?
Exposure in this set is led by Industrials at 25.4% of observed assets, with Consumer Discretionary contributing 16.3% and Communication Services 15.6%. The remaining 42.6% is spread across Health Care, Consumer Staples, Energy, Materials, Financials, Information Technology, and Utilities, with no single sector dominating the tail.
Industrials lead because the sector covers a wide mix of capital goods manufacturers, commercial services firms, and transport operators that historically rely on outsourced web hosting and reseller infrastructure for marketing sites, partner portals, and regional subsidiary properties.
These deployments tend to outlive the projects that created them, accumulate ownership ambiguity, and rarely sit on an active patch cadence. Consumer Discretionary and Communication Services follow a similar pattern, with media properties, hospitality brands, and consumer-facing storefronts often hosted on cPanel-managed servers procured through agencies or local providers.
The cross-sector spread is the more telling signal. cPanel is not concentrated in any one industry because it is the default control panel for a substantial share of the global shared hosting market. That makes the distribution a proxy for which sectors carry the most forgotten or loosely governed web infrastructure. The high share in Others reflects how many of these assets sit outside the primary asset inventory of their owning organization, often discovered only when an external attack surface scan surfaces them.
Are fixes available?
Patches are available. cPanel released fixed versions on April 28, 2026, covering seven supported version branches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 136.1.7. Operators should run the cPanel update script (/scripts/upcp --force), confirm the build version after the update, and restart cpsrvd to ensure the new code path is loaded.
Servers with auto-update disabled or version pinning will not receive the fix automatically and require manual intervention. CISA's KEV entry sets a remediation deadline of May 3, 2026 for federal civilian agencies, and several major hosting providers, including Namecheap, KnownHost, HostPapa, and InMotion, blocked inbound traffic to cPanel ports as a precautionary measure ahead of customer patching.
Operators should verify the patched build directly on each host rather than relying on dashboard reporting, given the staggered rollout across version branches and the existence of pinned environments where automatic updates are disabled.
Are there any other recommended actions to take?
Until patches are confirmed in place, restrict inbound access to TCP/2082, TCP/2083, TCP/2086, TCP/2087, TCP/2095, and TCP/2096 at the network edge or via host firewall to known administrative IPs only. Stop the cpsrvd and cpdavd services on systems that cannot be patched immediately.
Review /usr/local/cpanel/logs/access_log and the session directory for unexpected sessions, anomalous login activity, or session files containing injected user=root or hasroot=1 properties. Rotate credentials on any host that was internet-reachable before patching, and run cPanel's published indicator-of-compromise script to surface known exploitation artifacts.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-41940 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
