CVE-2026-41940
The vulnerability is caused by improper handling of session data within cPanel & WHM. Due to insufficient sanitisation during session creation and processing, an attacker can craft malicious requests that manipulate how session information is stored and interpreted by the system. By exploiting this flaw, an attacker can inject controlled data into session files and effectively alter authentication-related attributes. This allows the attacker to bypass the normal authentication flow and establish a session that is treated as fully authenticated, even without valid credentials. Once access is obtained, the attacker can operate with administrative privileges. This includes full control over the server, access to hosted websites and databases, and the ability to create persistence mechanisms such as backdoors or additional user accounts. Given the central role of cPanel in hosting environments, this can lead to large-scale compromise affecting multiple customers and services.
EPSS 90.76% · 99.6th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cPanel | cPanel & WHM (ALL versions) |
Exploit Intelligence
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
- CVE-2026-41940 authentication bypass vulnerability proof-of-concept (github-poc-repo)
…and 2232 more exploits
Timeline
- CVE Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
- Apr 29, 2026 PoC Published
References
- https://ccb.belgium.be/advisories/warning-critical-authentication-bypass-cpanel-whm-patch-immediately advisory
- https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026 vendor
- https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/ technical
- https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/ technical
- [bare-metal-servers] [GLOBAL][Virtual Private Servers] - cPanel incident notification vendor
- [customer-service] [GLOBAL][Control panel] - cPanel incident notification vendor