Auth bypass in cPanel/WHM lets attackers seize servers
Active exploit CVE-2026-41940 bypasses cPanel/WHM authentication, grants admin access to servers hosting over 1 million sites; cPanel issued patches April 28, 2026.
A critical authentication-bypass vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is being actively exploited. The flaw can allow an attacker to access the control panel without credentials and gain administrator-level control of affected servers. cPanel released patches for the issue on April 28, 2026.
The vulnerability bypasses the normal login process for the web hosting control panel. With administrator access, an attacker can create or modify accounts, change site files, deploy malware, exfiltrate data and attempt privilege escalation across the server. Because many hosting servers run multiple customer sites, a single compromised server can affect dozens or hundreds of websites.
CVE-2026-41940 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. cPanel indicates that every supported release after version 11.40 is affected, including specialized builds such as DNSOnly and WP Squared. Hosting providers including Namecheap, HostGator and KnownHost temporarily blocked external access to cPanel interfaces while applying patches. Some providers reported exploit attempts beginning in late February 2026.
cPanel provided update packages and installation instructions on April 28, and operators are instructed to apply the vendor updates immediately. The vendor also directed administrators to restart services where required and to review access logs for signs of unauthorized access. Operators unable to patch immediately have in some cases limited or blocked external access to cPanel and WHM to reduce exposure.
Website owners should assume risk until their host confirms a patched environment. Reducing stored personal and payment information on third-party sites and avoiding saved card details can limit exposure. Account holders are advised to use unique passwords, enable two-factor authentication where available, and prefer hardware-backed or FIDO2-compliant authenticators when supported.
System administrators are advised to audit servers for indicators of compromise, review scheduled tasks and webroot file changes, rotate credentials used by automated services, and verify that patches have been applied. Organizations in sectors such as finance and healthcare, where hosting platforms often support sensitive data, are recommended to confirm patch status promptly to reduce the chance of unauthorized access.
