LIVE — Threat Intelligence Active ZyberWalls.com
Independent Cybersecurity Research
Home / CVE-2026-41940 — cPanel Authentication Bypass Explained

CVE-2026-41940 — cPanel Authentication Bypass Explained

May 02, 2026 5 min read
ZW
ZyberWalls Research Team Independent cybersecurity researchers covering zero-days, CVEs, breach analysis and threat intelligence. All facts verified from primary sources.

Priya runs a small e-commerce business in Jaipur. She sells handmade jewellery online. Her website runs on a shared hosting plan she bought three years ago from a popular hosting company. She does not manage any servers. She does not know what cPanel is. She just logs into her hosting dashboard when she needs to upload a new product photo or check her email.

On April 28, 2026, her hosting company sent her an urgent email saying her control panel access had been temporarily blocked. She was confused. Her website looked fine from the outside. But behind the scenes, every website on the same server as hers — including hers — had been sitting wide open to any attacker on the internet since at least February.

Not because of anything she did. Because of a single missing check in the software that runs millions of websites worldwide.

CVE-2026-41940 — cPanel Authentication Bypass — Key Facts
  • CVE: CVE-2026-41940 — Critical authentication bypass in cPanel and WHM
  • CVSS Score: 9.8 Critical — no login required, remotely exploitable, full admin access
  • Disclosed: April 28, 2026 — but actively exploited since at least February 23
  • Exploitation window: At least 64 days before the patch was released
  • Affects: All supported versions of cPanel and WHM — every version above 11.40
  • Scale: Over 70 million domains run on cPanel — 1.5 million instances internet-exposed
  • What attackers can do: Take over websites, databases, email accounts, and server configurations — for every website on the same server
  • Who raised the alarm: KnownHost CEO confirmed exploitation attempts dating back to February 23
  • Industry response: Namecheap, KnownHost, hosting.com, HostPapa, and InMotion all blocked cPanel access globally within hours of disclosure
  • Canada's cyber agency: Issued national advisory — "exploitation is highly probable, immediate action required"
  • Patch available: Released April 28, 2026 — hours after the advisory went public
  • Also affected: WP Squared — cPanel's WordPress management tool — patched in same update
A cinematic cybersecurity illustration of CVE-2026-41940, showing a "Master Key" unlocking a server labeled WHM. Red data streams flow from multiple user websites (including a small business site) into an attacker's console. A timeline at the bottom emphasizes the 64-day exploitation window from February 23 to April 28, 2026, and lists critical mitigations like port blocking and credential rotation.

What Is cPanel — Simple Explanation

When you buy a website hosting plan, you get a control panel — a dashboard where you can manage everything about your website. Create email accounts. Set up databases. Upload files. Install WordPress. Manage security certificates. That dashboard, for the vast majority of hosting providers worldwide, is cPanel.

WHM — Web Host Manager — sits one level above cPanel. It is what the hosting company itself uses to manage all its customers' accounts on a single server. Think of cPanel as the key to one apartment, and WHM as the master key to the entire building. With WHM access, you have root-level control — the highest possible authority — over every website, database, and email account on that server.

According to Rapid7, approximately 1.5 million cPanel instances are directly exposed to the internet. Behind those instances sit tens of millions of websites — small businesses, blogs, e-commerce shops, news sites, school websites, and everything in between.

Root Cause — The Lock That Forgot to Check the Key

This vulnerability was caused by a fundamental flaw in how cPanel verified whether someone logging in was actually who they claimed to be.

When you log into cPanel, the software runs a series of checks. One of those checks looks at whether a previous authentication has already been completed — specifically, whether a timestamp exists in the session data indicating a successful prior login. The logic was: if there is already a verified timestamp in the session, skip the password check and let them in.

The problem: an attacker could inject their own fake timestamp into the session data before the check ran. cPanel would see the timestamp, conclude that authentication had already been completed, and grant full administrative access — without ever checking a password.

Think of it like a nightclub with a bouncer who checks for a wristband. The wristband proves you already passed the entry check inside. The bug is that anyone could walk up to the bouncer wearing a homemade wristband — and the bouncer would wave them straight through without looking at ID, because the wristband was proof enough. The attacker made their own wristband. The bouncer never questioned it.

WatchTowr, the security research firm that analysed the flaw in depth, described it precisely: if either authentication timestamp is set in the session data, password validation is skipped and access is granted unconditionally — the system's password file is never consulted at all.

The attack required no special tools, no advanced technical skill, and no prior access to the target. Send a crafted request with a fake session cookie. Get full admin access. Done.

64 Days — The Window Nobody Talks About

The most alarming detail in this entire story is not the vulnerability itself. It is the timeline.

KnownHost CEO Daniel Pearson confirmed his company had seen exploitation attempts dating back to February 23. The patch was released on April 28. That is a gap of 64 days during which attackers had a working exploit for one of the most widely used pieces of hosting infrastructure on the internet — and the vast majority of website owners had no idea.

The vulnerability was privately disclosed to cPanel approximately two weeks before public disclosure. However, confirmed active exploitation in the wild forced cPanel to accelerate its emergency patch rollout.

This means cPanel knew about the vulnerability for roughly two weeks before telling anyone. During those two weeks — and for the 50 days before that — attackers were already using it. The private disclosure process, designed to give vendors time to fix quietly before attackers find out, did not work here. The attackers already knew.

This is the same pattern we documented last week in our analysis of the exploit race:

Patching Is Losing the Race: Why Attackers Move Faster Than Fixes

What Attackers Can Do With Full cPanel Access

This is where shared hosting makes the situation uniquely dangerous. On a shared hosting server, dozens or hundreds of different websites all run on the same physical machine. They share resources, but they are supposed to be isolated from each other — you cannot access your neighbour's files just because you share a server.

WHM access breaks that isolation completely.

With root-level WHM access on a shared hosting server, an attacker can access every website on that server simultaneously. Every database — containing customer orders, contact forms, user accounts, stored payment records. Every email account — inbox, sent items, saved contacts. Every configuration file — database passwords, API keys, secret keys embedded in application code. Every file that any website owner has ever uploaded.

And they can do all of this silently. No notification to the website owner. No alert from the hosting company. No warning anywhere. The websites continue running normally while an attacker reads through everything behind the scenes.

Canada's national cybersecurity agency stated that exploitation could allow attackers to take control of hosted websites, databases and email accounts, modify server configurations, and potentially compromise thousands of downstream sites on shared hosting servers.

The Industry's Response — Unusually Fast

One genuinely positive element of this story is how quickly the hosting industry reacted once the advisory went public.

Within hours of the advisory going public, hosting providers across the industry took cPanel and WHM access offline globally. Hosting.com, Namecheap, KnownHost, HostPapa, and InMotion Hosting all blocked cPanel ports at the network level while awaiting the patch.

Namecheap's status page was clear and immediate: block ports 2083 and 2087 now, apply patch when available, restore access after. No hesitation. This is what good incident response looks like from an industry that understood the severity of what it was facing.

The patch itself was released approximately two to three hours after the public advisory — an unusually fast turnaround that suggests cPanel had it ready before going public.

Indicators of Compromise (IOCs)

# CVE-2026-41940 cPanel Authentication Bypass — Detection

# Step 1 — Check your cPanel version
# Log into WHM or run from command line:
/usr/local/cpanel/cpanel -V

# Safe versions (patch applied):
# 110.0.x → 11.110.0.97 or later
# 118.0.x → 11.118.0.63 or later
# 126.0.x → 11.126.0.54 or later
# 132.0.x → 11.132.0.29 or later
# 134.0.x → 11.134.0.20 or later
# 136.0.x → 11.136.0.5 or later

# Step 2 — Force immediate update if not auto-updated
/scripts/upcp --force
# This forces cPanel to update immediately without waiting

# Step 3 — Block cPanel ports at firewall if patch not yet applied
# Block inbound TCP on these ports:
# 2083 (cPanel SSL)
# 2087 (WHM SSL)
# 2095 (Webmail SSL)
# 2096 (Webmail non-SSL)

# Step 4 — Audit access logs for the exposure window
# Check WHM and cPanel access logs from February 23 to patch date
# Look for:
Alert: Successful WHM or cPanel logins from unknown IP addresses
Alert: New user accounts created during the exposure window
Alert: Configuration changes not initiated by known administrators
Alert: New files uploaded — especially .php files in web directories
Alert: Database exports or large data access from unusual IPs
Alert: New cron jobs or scheduled tasks added to server

# Step 5 — Run cPanel's official IOC detection script
# cPanel has provided a script to search for known exploitation indicators
# Available through your cPanel support portal
# Run on all servers that were unpatched during the exposure window

# Step 6 — Check for web shells (backdoors left by attackers)
find /home -name "*.php" -newer /tmp/patch_date -ls
# Any .php files created after exploitation window began
# that were not uploaded by legitimate site owners
# should be treated as potential backdoors

SOC Alert Priorities

Priority 1 — Verify every cPanel server is running a patched version right now. If your organisation manages its own cPanel servers, run /usr/local/cpanel/cpanel -V on each one and confirm the version matches the patched builds listed above. If auto-updates are disabled or the version is pinned, update manually using /scripts/upcp --force immediately.

Priority 2 — If you use managed hosting, confirm your provider has patched. Most major providers — Namecheap, InMotion, KnownHost — moved within hours. But smaller or regional hosting providers may be slower. Log into your hosting control panel and check the cPanel version number at the bottom of the page. If it does not show a patched version, contact your provider today.

Priority 3 — Audit access logs covering February 23 to April 28. This is the known exploitation window. Any successful WHM or cPanel login during this period from an IP address that is not your own or your hosting provider's should be treated as a potential unauthorised access. Look specifically for new user accounts, configuration changes, and file uploads during this window.

Priority 4 — Scan for web shells on affected servers. Attackers who gained access during the 64-day window may have installed backdoors — hidden files that maintain access even after the vulnerability is patched. Search web directories for recently created PHP files that were not uploaded by legitimate users. Run cPanel's official IOC detection script on all servers that were potentially exposed.

Priority 5 — Rotate all credentials stored in cPanel-managed environments. Database passwords, email account passwords, application API keys, and FTP credentials stored in the cPanel environment should be considered potentially exposed. Reset them, especially for any application that connects to an external service using credentials stored on the server.

What Should Website Owners Do

If you use shared hosting and do not manage your own server — contact your hosting provider and ask them to confirm the patch has been applied. Most major providers have already done this, but confirmation gives you a documented record. Ask them specifically whether your server showed any signs of unauthorised access during the February 23 to April 28 window.

Change your cPanel password and all email account passwords — as a precaution, even if your provider confirms no access was detected. Credential rotation after any potential exposure window is standard good practice and costs nothing.

Check your website for unexpected changes — new pages, new redirects, unexpected content. If your website is redirecting visitors to unrelated sites or showing content you did not create, it may have been modified during the exposure window.

Enable two-factor authentication on your cPanel account — if your hosting provider supports it. This adds a second layer of verification so that even if your password is known, access still requires a code from your phone.

The ZyberWalls Perspective

Seventy million domains. Sixty-four days of active exploitation before a patch. A vulnerability so simple that it required no specialist tools or advanced skills to use.

The cPanel flaw is a reminder that the security of your website is not just determined by what you do. It is determined by the security of every piece of infrastructure your website sits on — the hosting platform, the control panel software, the shared server. Priya in Jaipur did everything right. She chose a reputable hosting company. She kept her website updated. She had no way of knowing that the software running underneath her hosting dashboard had a door that had been open for two months.

WatchTowr named their analysis of this vulnerability "The Internet Is Falling Down." cPanel and WHM runs somewhere north of 70 million domains — the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. That is not hyperbole. It is an accurate description of what was at stake.

The hosting industry's rapid response — blocking ports within hours, patching within a day — limited the damage. But 64 days of prior exploitation means the forensic work is only beginning. If your website runs on cPanel, treat the period from February 23 to April 28 as a window of potential compromise until your provider can confirm otherwise.

CrowdStrike LogScale CVE-2026-40050: The Tool That Watched Everything Had No One Watching It

Stay Alert. Stay Human. Stay Safe.
— ZyberWalls Research Team
🔗 More from ZyberWalls
CVE Deep Dives Browse all CVE analyses → Breach Analysis Browse all breach reports → Threat Intel Browse threat intelligence →
No comments