An authentication bypass vulnerability labeled as CVE-2026-41940 has been discovered in cPanel, WHM, and WP Squared, which is currently being actively exploited in the wild. The vulnerability has been exploited since late February, with KnownHost, a hosting provider utilizing cPanel, confirming successful exploitation attempts before a fix was made available.
According to KnownHost CEO Daniel Pearson, the company has observed execution attempts as early as 2/23/2026. The issue stems from a “Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM,” as revealed by newly published technical details that can potentially be utilized to create an exploit.
cPanel released a fix on April 28 after pressure from hosting providers. To safeguard customers, Namecheap temporarily restricted connections to cPanel and WHM ports 2083 and 2087 until patches were deployed.
watchTowr, an offensive security company, explained that the vulnerability was caused by improper session handling in cPanel & WHM, allowing user-controlled input from the Authorization header to be written into server-side session files without proper sanitization. They also detailed how the bug could be triggered to log into the system without validating the provided password, potentially leading to a working exploit.
Rapid7 reported that approximately 1.5 million cPanel instances are exposed online, although the exact number vulnerable to CVE-2026-41940 remains unknown. Exploiting this vulnerability can grant an attacker control over the cPanel host system, configurations, databases, and managed websites.
cPanel updated its security advisory to indicate that the vulnerability also affects WP Squared, a management panel for WordPress hosting built on cPanel. Contrary to initial statements, only cPanel versions after 11.40 are impacted by the security flaw.
cPanel recommends that all customers restart the ‘cpsrvd’ service after installing the latest software releases. Affected releases and fixed versions are listed as follows:
If immediate patching is not feasible, customers are advised to block external access to ports 2083, 2087, 2095, and 2096, or halt the ‘cpsrvd’ and ‘cpdavd’ cPanel core services.
cPanel also offers a detection script to check for compromise. In case of indicators, it is recommended to purge sessions, reset credentials, audit logs, and investigate persistence mechanisms. watchTowr has developed a Detection Artifact Generator script to verify vulnerability to CVE-2026-41940 for cPanel and WHM instances.
AI has combined four zero-days into a single exploit that bypasses both renderer and OS sandboxes, signaling a wave of new exploits. Learn more at the Autonomous Validation Summit (May 12 & 14) to understand how autonomous validation identifies vulnerabilities, validates controls, and closes the remediation loop.
Secure Your Spot Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
