Now the final body-only Markdown, with the blockquote recast and conversational framing removed:

A critical authentication bypass in cPanel & WHM — tracked as CVE-2026-41940 and rated CVSS 9.8 — is being exploited in the wild, exposing an estimated 1.5 million internet-facing hosting control panels to full takeover. The flaw lets an unauthenticated, remote attacker forge a root-level administrative session without any credentials. Anyone operating an on-premise cPanel & WHM or WP Squared deployment should treat patching as an emergency.

What CVE-2026-41940 is

cPanel shipped a security update on April 28, 2026 that its release notes vaguely described as fixing "an issue with session loading and saving." The CVE was formally assigned the next day, April 29, 2026. According to the NVD entry and the CVE.org record, every release of cPanel & WHM after version 11.40 contains an authentication bypass in the login flow that an unauthenticated remote attacker can abuse. The WP Squared product line is affected as well.

The impact is severe because of what the software does. WHM grants root-level administration of the server, while cPanel is the end-user console for sites, databases, email, and DNS. Owning the panel means owning everything behind it — every hosted website, database, configuration file, and stored credential on the box.

How the exploit works

watchTowr released a complete technical breakdown and a working proof of concept on April 29, 2026. The community has since labeled the bug "SessionScribe" (see the GitHub topic for CVE-2026-41940). At its core, the issue is a Carriage Return Line Feed (CRLF) injection in the login and session-loading paths of cpsrvd, the central cPanel service daemon.

The chain plays out like this:

  • Before authentication finishes, cpsrvd writes a fresh session file to disk on behalf of the connecting client.
  • The attacker tampers with the whostmgrsession cookie, dropping an expected segment of its value so the supplied data sidesteps the encryption step that session cookies normally undergo.
  • Raw \r\n sequences are then injected through a crafted HTTP Basic Authorization header. Because cpsrvd writes the session file without sanitizing this input, those newlines land directly in the on-disk session file.
  • With newline control, the attacker can append arbitrary session properties to the file — for example, a line setting user=root — effectively fabricating a root session.
  • Once the session is reloaded from disk, the forged token is honored as a fully authenticated administrator.

What makes this dangerous is its sheer simplicity: no brute forcing, no stolen passwords, no existing foothold. Any host that exposes the affected cPanel service on the network is vulnerable out of the box.

Technical background: CRLF injection into session storage

This bug belongs to a well-understood class of header- and CRLF-injection flaws. When a service takes attacker-influenced input and writes it into a structured, line-delimited file (session stores, log files, config snippets) without stripping control characters, an attacker who can smuggle a literal carriage-return/newline pair can break out of the intended field and add new lines of their own.

Session files are frequently stored as simple newline-delimited key=value records. Conceptually, a benign record might look like this:


user=guest
authenticated=0

If the value of one field is taken from an unsanitized header and a \r\n slips through, the attacker can terminate the current line early and inject a new directive — generically:


GET /login HTTP/1.1
Host: target.example
Authorization: Basic <payload-containing-%0d%0auser=root>

The decoded payload's embedded newline turns a single field into two lines on disk, so the stored session becomes:


user=guest
user=root
authenticated=1

On the next read, the parser honors the injected user=root. The general defenses are the same wherever this pattern appears: reject or strip \r and \n from any input that flows into a structured sink, encode values before serialization, and never write client-controlled session state to disk before authentication completes. The illustration above is generic — see the watchTowr write-up and the linked tooling for the specifics of how the cPanel chain is triggered.

Exploitation in the wild

Evidence suggests attacks predate public disclosure by months. KnownHost, a managed cPanel hosting provider, confirmed in-the-wild exploitation and pointed to speculation that targeted zero-day activity may have started as early as February 23, 2026 — more than two months before cPanel's advisory.

A Shodan search for internet-exposed cPanel instances surfaces roughly 1.5 million potentially vulnerable systems. With a public PoC now circulating, researchers expect broad opportunistic exploitation to follow quickly. Defenders should assume scanning and compromise of unpatched hosts is already underway.

Affected and fixed versions

Every cPanel & WHM build after 11.40 is affected. The patched releases are:

  • cPanel & WHM 11.86.0 — fixed in 11.86.0.41
  • cPanel & WHM 11.110.0 — fixed in 11.110.0.97
  • cPanel & WHM 11.118.0 — fixed in 11.118.0.63
  • cPanel & WHM 11.126.0 — fixed in 11.126.0.54
  • cPanel & WHM 11.130.0 — fixed in 11.130.0.19
  • cPanel & WHM 11.132.0 — fixed in 11.132.0.29
  • cPanel & WHM 11.134.0 — fixed in 11.134.0.20
  • cPanel & WHM 11.136.0 — fixed in 11.136.0.5
  • WP Squared — fixed in 136.1.7

Because the vendor may publish further updates, confirm the latest fixed build against the official advisory before remediating.

Detection and mitigation

For on-premise cPanel & WHM or WP Squared operators, this is a drop-everything patching event:

  • Patch now. Upgrade to one of the fixed builds above. This is the only dependable fix.
  • Hunt for prior compromise. Given the possibility of zero-day abuse reaching back to February 2026, patching alone isn't enough. Review server logs, session files, and account activity for unauthorized access both before and after your patch window.
  • Constrain network exposure. Some providers have temporarily blocked TCP access to the cPanel & WHM web service ports 2083 and 2087 as a stopgap. This shrinks the attack surface but does not replace patching — use it only as a bridge while you stage upgrades.
  • Scan for the vulnerability. Rapid7 Exposure Command, InsightVM, and Nexpose users can measure exposure with the authenticated vulnerability checks published on April 30, 2026.

The community tooling collected under the CVE topic includes a defense-in-depth active mitigation shim, a ModSecurity rule pack, a remote probe, and an on-host IOC scanner that can help with detection and temporary hardening.

A public PoC is circulating and exploitation is already confirmed, so the cost of waiting is concrete: any unpatched cPanel host still reachable from the internet should be considered a breach waiting to happen. Handle it as a P0 incident.

Why cPanel bugs are prime targets

cPanel & WHM is a force multiplier for attackers. One compromised host can expose dozens or hundreds of hosted sites along with their databases, customer records, email archives, and SSL certificates. A single successful exploit can hand an adversary an entire hosting business and all of its clients' assets at once.

That post-exploitation payoff makes CVE-2026-41940 equally attractive to ransomware crews, credential harvesters, and espionage actors. The mix of mass exposure (~1.5 million instances), a trivial exploit, and high-value follow-on access places it in the same urgency bracket as Log4Shell and ProxyLogon.

Bottom line

CVE-2026-41940 checks every box for a worst-case flaw: unauthenticated, remotely exploitable, aimed at a ubiquitous platform, with a public proof of concept already out and exploitation confirmed. Teams responsible for cPanel & WHM should start emergency patching immediately, run retrospective log analysis to catch any earlier breach, and verify network-level exposure of the affected service ports. There's no defensible reason to wait.