TL;DR
- cPanel disclosed a critical authentication bypass vulnerability in WHM on April 28, 2026, affecting nearly all versions—including end-of-life releases—with exploits already seen in the wild before the patch dropped.
- If you’re self-hosted, patch now as root. If you’re on managed hosting, confirm your provider has applied the fix.
- CVE-2026-41940 has been assigned to this vulnerability.
What happened
cPanel’s WebHost Manager (WHM) is a very popular commercial web hosting application. On April 28, 2026, cPanel disclosed a critical authentication vulnerability in cPanel and WHM affecting nearly all known versions, including end-of-life releases. The flaw impacts multiple authentication paths, and if exploited, an attacker could potentially bypass login mechanisms to gain administrative control over the server.
cPanel’s initial security notices stated that the issue was authentication bypass. That language has since been removed from the advisory, though the vulnerability is still understood to impact authentication. Exploits were seen in the wild before the patch was released.
cPanel patched the following versions:
- 11.110.0.97
- 11.118.0.63
- 11.126.0.54
- 11.132.0.29
- 11.136.0.5
- 11.134.0.20
- WP Squared 11.136.1.7
cPanel is widely used by organizations for updating self-hosted and managed instances. Attackers can exploit unpatched versions to bypass authentication mechanisms and gain unauthorized administrative access. If you aren’t self-hosted, check with your hosting provider to confirm they’ve applied the patch. This vulnerability doesn’t currently have a CVE ID assigned.
What you need to do
System administrators should force an update as the root user to retrieve and install the patched version immediately. If possible, review server access logs for suspicious login attempts, unexpected account creations, or unusual administrative activity that occurred before the patch was deployed. Environments running end-of-life or unsupported versions will not receive this fix and should prioritize migrating to a supported release.
