cbcvebase.
CVE-2026-41940
published 2026-04-29

CVE-2026-41940: cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-05-03
Exploited in the wild
EPSS
98.10%
99.9th percentile
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
cpanelcpanel>= 11.40 < 86.0.4186.0.41
cpanelcpanel>= 112.0.0 < 118.0.63118.0.63
cpanelcpanel>= 120.0.0 < 124.0.35124.0.35
cpanelcpanel>= 126.0.1 < 126.0.54126.0.54
cpanelcpanel>= 128.0.0 < 130.0.19130.0.19
cpanelcpanel>= 132.0.0 < 132.0.29132.0.29
cpanelcpanel>= 134.0.0 < 134.0.20134.0.20
cpanelcpanel>= 136.0.0 < 136.0.5136.0.5
cpanelcpanel>= 88.0.0 < 110.0.97110.0.97
cpanelwhm>= 11.40 < 86.0.4186.0.41
cpanelwhm>= 112.0.0 < 118.0.63118.0.63
cpanelwhm>= 120.0.0 < 124.0.35124.0.35
cpanelwhm>= 126.0.1 < 126.0.54126.0.54
cpanelwhm>= 128.0.0 < 130.0.19130.0.19
cpanelwhm>= 132.0.0 < 132.0.29132.0.29
cpanelwhm>= 134.0.0 < 134.0.20134.0.20
cpanelwhm>= 136.0.0 < 136.0.5136.0.5
cpanelwhm>= 88.0.0 < 110.0.97110.0.97
cpanelwp_squared< 136.1.7136.1.7
webproscpanel>= 11.104.0.0 < 11.110.0.9711.110.0.97
webproscpanel>= 11.112.0.0 < 11.118.0.6311.118.0.63
webproscpanel>= 11.120.0.0 < 11.124.0.3511.124.0.35
webproscpanel>= 11.126.0.0 < 11.126.0.5411.126.0.54
webproscpanel>= 11.128.0.0 < 11.130.0.1911.130.0.19
webproscpanel>= 11.132.0.0 < 11.132.0.2911.132.0.29

Detection & IOCsextracted from sources · hover to see the quote

cookiewhostmgrsession (manipulated cookie — omit expected segment to bypass encryption)
commandgrep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null
port2083
port2087
  • Detect CRLF injection in the Basic Authorization header sent to cPanel/WHM login endpoints; look for raw \r\n characters injected to manipulate session file properties (e.g., user=root).
  • Monitor for manipulation of the `whostmgrsession` cookie with a missing/truncated segment, which is the attacker's mechanism to bypass encryption and inject session properties.
  • Check cPanel/WHM logs for the IoC grep pattern targeting the LiteSpeed plugin's redisAble function, which is being actively exploited in conjunction with the cPanel ecosystem.
  • Check Point IPS signature available: 'cPanel Authentication Bypass (CVE-2026-41940)'.
  • CISA has linked CVE-2026-41940 with Sorry Ransomware; hunt for Sorry ransomware artifacts on cPanel hosts as a post-exploitation payload.
  • Monitor for Mirai botnet variant deployment on cPanel hosts following exploitation; Shadowserver observed 44,000 IP addresses engaging in scanning and brute-force attacks after exploitation.
  • ·The vulnerability exists in cPanel & WHM versions after 11.40 by default; all systems exposing the affected web service are vulnerable without any special misconfiguration required.
  • ·The session file manipulation occurs before authentication; cpsrvd writes the attacker-controlled session file to disk without sanitizing CRLF-injected data from the Basic Authorization header.
  • ·A public proof-of-concept exploit was published by watchTowr on April 29, 2026, making widespread exploitation immediately accessible to lower-skilled threat actors.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.