cPanel Ships Second Emergency Patch in 10 Days: Three New CVEs

cPanel released its second emergency security update in ten days on May 8, patching three new vulnerabilities that enable arbitrary file read, code execution, and privilege escalation. The timing couldn't be worse: this follows the CVE-2026-41940 auth bypass that saw 44,000 servers compromised and ransomware deployed across hosting providers worldwide.

The new CVEs—CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203—affect cPanel & WHM, the control panel software that manages an estimated 70 million domains globally.

CVE-2026-29201: Arbitrary File Read

The first vulnerability exists in the feature::LOADFEATUREFILE adminbin call. The feature file name parameter isn't validated for path traversal, allowing an attacker to supply a relative path that causes any file on the server to become world-readable.

While arbitrary file read doesn't directly grant code execution, it enables attackers to:

• Extract configuration files containing database credentials
• Read SSH private keys from user home directories
• Access backup files that may contain sensitive data
• Harvest information needed for privilege escalation attacks

CVE-2026-29202: Code Execution

Details on CVE-2026-29202 remain limited, but cPanel confirms it enables direct code execution. Combined with CVE-2026-29201's file read capability, an attacker could potentially read server configuration, identify exploitation paths, and achieve code execution in a chained attack.

CVE-2026-29203: Privilege Escalation via Symlink

The third vulnerability (CVSS 8.8) involves unsafe handling of symbolic links. An authenticated user can use chmod to modify permissions on arbitrary files through symlink manipulation, leading to denial of service or privilege escalation.

The attack works by creating a symlink in a user-controlled directory that points to a sensitive system file. When cPanel processes chmod operations, it follows the symlink and applies permission changes to the target file instead of the symlink itself.

Context: cPanel's Rough Month

This patch arrives while the hosting industry is still recovering from CVE-2026-41940. That CVSS 9.8 authentication bypass went unpatched for nearly three months while attackers exploited it in the wild. By the time cPanel shipped a fix in late April, the Sorry ransomware gang had compromised 44,000 servers and encrypted data across multiple hosting providers.

The quick succession of emergency patches raises questions about cPanel's security review processes. Two TSRs (Targeted Security Releases) in ten days suggests either proactive discovery of related issues or—less charitably—that the auth bypass scrutiny revealed additional problems that had been overlooked.

Affected Versions

All cPanel & WHM versions before the May 8 patch are vulnerable. The fix was distributed through cPanel's automatic update process starting at 12:00 PM EST.

Remediation

Most cPanel installations receive automatic updates. Administrators should verify their servers are running the patched version:

/usr/local/cpanel/cpanel -V

For servers with automatic updates disabled, run the manual update:

/scripts/upcp

Given the active exploitation of CVE-2026-41940, administrators should also audit their servers for signs of prior compromise. The Sorry ransomware campaign left clear indicators, but other attackers may have established persistence more quietly during the months the auth bypass was exploitable.

Hosting providers running cPanel should review our data breach response guide for steps on assessing exposure and notifying affected customers.

Why This Matters

cPanel's market dominance in shared hosting means these vulnerabilities affect millions of websites. Shared hosting environments are particularly sensitive to privilege escalation flaws—a single compromised account can potentially pivot to attack neighboring sites on the same server.

The back-to-back emergency patches also demonstrate the challenges of securing legacy codebases. cPanel has been in development since 1996, and the accumulated complexity makes comprehensive security review difficult. Organizations with strict security requirements should evaluate whether cPanel's convenience outweighs the risks of its expanding attack surface.