cPanel Auth Bypass CVE-2026-41940 Exploited Before Patch

cPanel released emergency security updates on April 28 after discovering a critical authentication vulnerability affecting all supported versions of its hosting control panel software. The flaw could allow attackers to bypass login authentication and gain unauthorized access to cPanel and Web Host Manager (WHM) interfaces.

Hosting providers worldwide scrambled to apply patches after cPanel disclosed the issue, with major providers including Namecheap, InMotion, and others temporarily blocking access to control panel ports as a precaution. The vulnerability impacts the millions of websites managed through cPanel infrastructure.

TL;DR

• What happened: CVE-2026-41940 allows authentication bypass via CRLF injection in cPanel/WHM
• Who's affected: All cPanel installations running supported versions prior to the April 28 patch
• Severity: Critical - CVSS 9.8 (CWE-306: Missing Authentication for Critical Function)
• Action required: Run /scripts/upcp --force to install security updates immediately

What Happened

According to Namecheap's status disclosure, the security issue was confirmed on April 28, 2026, affecting "all currently supported versions of the platform." Tracked as CVE-2026-41940 with a CVSS score of 9.8, the vulnerability allows unauthenticated remote attackers to bypass authentication entirely.

Security researchers at watchTowr Labs confirmed exploitation was happening in the wild before the public advisory dropped. This was effectively a zero-day against the management plane of a massive chunk of the internet's hosting infrastructure.

How the Attack Works

The vulnerability chains three interconnected flaws in cPanel's session handling:

CRLF injection in Basic authentication: When cPanel processes Authorization headers, the set_pass() function only strips null bytes, leaving carriage return and newline characters (\r\n) intact. Attackers can embed arbitrary key-value pairs in the password field.

Missing encoding when session key is empty: Session cookies use the format :sessionname,hexkey. If the hex key portion is omitted, the encoder never fires—leaving injected data written to disk unescaped.

Cache synchronization flaw: Session data exists in both raw text files (/var/cpanel/sessions/raw/) and JSON cache files. Injected newlines create separate records in the raw file, and when the system re-parses that file during certain operations, the injected keys get promoted to top-level JSON entries.

The final bypass happens in check_authok_user(), which skips password validation entirely if a successful_internal_auth_with_timestamp key exists in the session data. By injecting this timestamp, attackers skip /etc/shadow validation altogether and receive AUTH_OK without ever knowing the password.

According to cPanel's security advisory, the following versions contain the fix:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

Hosting Providers Took Defensive Action

Before patches were available, hosting providers implemented emergency firewall rules blocking TCP ports 2083 (cPanel) and 2087 (WHM). This prevented both legitimate and malicious access to control panels—an inconvenience for customers, but necessary given the severity.

Namecheap confirmed on April 29 at 02:42 UTC that fixes had been applied to Reseller and Stellar Business servers. Other providers have been rolling out patches throughout the day.

Why This Matters

cPanel powers a significant portion of the shared hosting market. A successful exploit against one cPanel server can cascade to thousands of downstream sites running on that shared infrastructure. watchTowr described this as "the management plane of a significant part of the Internet" being exposed to pre-auth takeover.

The in-the-wild exploitation before patches were available makes this particularly concerning. Attackers who compromised servers during the disclosure window could have established persistence—backdoor accounts, web shells, or modified cron jobs—that survive the patch.

This is the second major control panel vulnerability we've covered recently. Earlier this year, authentication bypass issues in Clerk demonstrated how auth flaws in widely-deployed infrastructure can cascade into widespread compromise. We've also seen similar authentication bypass patterns across network appliances this year.

For hosting customers, the incident highlights the importance of hosting provider security practices. Your website's security depends not just on your own code, but on every layer of infrastructure beneath it. If you're managing sensitive workloads, consider whether shared hosting with cPanel is the right fit, or whether isolated VPS or container deployments offer better security boundaries.

Recommended Actions

For hosting providers:

1. Apply cPanel security updates immediately if not already done
2. Review access logs for the period before patches were applied
3. Enable audit logging to detect any unauthorized changes

For website owners:

1. Verify with your hosting provider that patches have been applied
2. Review your cPanel account for unexpected changes (new email accounts, FTP users, cron jobs)
3. Consider enabling two-factor authentication on your cPanel account if available
4. Check for unfamiliar files or modifications in your web directories

Frequently Asked Questions

Was my website compromised?

With confirmed in-the-wild exploitation before patches dropped, you should assume compromise is possible. Major hosting providers blocked ports 2083 and 2087 within hours, limiting the exposure window. But attackers who gained access could have established persistence that survives patching.

Should I change my cPanel password?

Yes, but that alone isn't enough. Review cPanel for unexpected accounts, API tokens, SSH keys, and cron jobs. Check /home/*/public_html for unfamiliar PHP files. Attackers with admin access could have planted web shells or modified existing files.

How do I know if my server is patched?

Run cat /usr/local/cpanel/version and compare against the patched versions listed above. Alternatively, run /scripts/upcp --force to pull the latest release.

Organizations managing critical infrastructure through cPanel should consider this a wake-up call about hosting security dependencies. For background on secure infrastructure practices, see our online safety guide. Understanding what constitutes a data breach can help you assess whether this incident requires notification to customers or regulators.