All cPanel and WHM versions had a critical authentication bypass that attackers may have been exploiting since February - emergency patches now released (CVE-2026-41940)

cPanel disclosed a critical authentication bypass on Monday affecting every cPanel and WHM version - including end-of-life builds. CVSS 9.8. The bug let unauthenticated attackers log in as administrators by abusing how the cPanel session daemon writes session files during login. Hosting providers including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion took cPanel and WHM offline globally for hours while patches deployed. Researchers at watchTowr published a working proof-of-concept on April 29. KnownHost reports possible targeted exploitation as early as February 23, 2026 - more than two months before disclosure.

Check

If you run any cPanel or WHM server, confirm it's patched to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 today.

Affected

All cPanel and WHM versions before the April 28 emergency patch, plus end-of-life versions. CVE-2026-41940, CVSS 9.8. Successful exploitation grants root-equivalent access on the server, exposing every hosted website, database, email account, and customer data. KnownHost reports possible exploitation since February 23, 2026.

Fix

Run '/scripts/upcp --force' to pull the latest patched cPanel build immediately. Audit authentication logs for unusual successful logins between February 23 and April 28 - any login from an unfamiliar IP during that window may indicate prior compromise. Block cPanel ports (2082-2087, 2095-2096, 2077-2078) at the firewall to non-trusted IP ranges.