cPanel auth bypass gives unauthenticated access to hosting control plane

TL;DR - CVE-2026-41940: a critical auth bypass in the cPanel & WHM login flow, tied to session loading and saving, lets unauthenticated remote attackers reach the control panel directly. CVSS v4 base 9.3. Out-of-band patches shipped across all supported release tracks on April 28-29, 2026.

What happened

cPanel & WHM is the dominant control-plane stack for shared and managed hosting - WHM handles server-level administration, cPanel handles per-tenant site management. On April 28-29, 2026, cPanel pushed an emergency security update covering a vulnerability that impacts "various authentication paths" across all currently supported versions.

The issue is CVE-2026-41940, classified as missing authentication for a critical function (CWE-306). VulnCheck scores it CVSS v4 base 9.3. The vendor advisory is intentionally sparse on exploit mechanics, but the fix was delivered out-of-band - outside the normal release cadence - which signals the severity.

During the patch window, at least one major hosting provider, Namecheap, temporarily blocked public access to cPanel and WHM ports (2083 and 2087) as a precautionary measure while deploying the fix.

An auth bypass on a hosting management plane is not just a panel bug. One successful exploitation can cascade into full control over every site, mailbox, database, and credential set co-located on that server.

Who is impacted

• Operators running any currently supported cPanel & WHM release track prior to the patched builds.
• Highest risk: internet-exposed WHM (:2087) and cPanel (:2083) instances, particularly on shared hosting infrastructure.
• Also relevant: anyone whose sites sit on a third-party host that exposes these panels publicly - validate your provider has applied the patch.

What to do now

• Patch immediately. Run the vendor-provided update command for your release track:

  "Please run the following command to retrieve the patched version." # /scripts/upcp --force

• Verify the patched build landed. Check your running version and confirm it matches one of the patched builds above:
  • # /usr/local/cpanel/cpanel -V
• If you are on an unsupported or end-of-life cPanel version, treat this as high risk. The vendor advisory warns that unsupported servers may also be affected:

  "Warning: If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected."

• While patching, consider edge-level risk reduction. Restrict or block public access to cPanel/WHM ports (2083, 2087) until you have confirmed a patched build is running - this is what Namecheap did during their rollout window.
• Post-patch hygiene:
  • Review access logs for unexpected logins and admin actions in the window before and during patching.
  • If you have any evidence of unauthorised access, rotate all credentials reachable via the control panel - hosting account passwords, database credentials, API keys, email account passwords.

Additional Information

• VulnCheck advisory (severity, CVSS, affected ranges): https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
• NVD entry for CVE-2026-41940: https://nvd.nist.gov/vuln/detail/CVE-2026-41940
• Namecheap status update documenting temporary port blocks during mitigation: https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/
• watchTowr diff-based technical analysis (useful for detection and threat hunting): https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/