← Back to Articles
2026-04-30

CRITICAL: CVE-2026-41940 - cPanel & WHM Authentication Bypass Vulnerability

N
N4R Team
Expert Technical Writing

Critical Security Advisory: CVE-2026-41940

A high-severity Authentication Bypass vulnerability has been discovered in cPanel & WHM software (including DNSOnly), tracked as CVE-2026-41940. This flaw affects nearly all versions after 11.40, potentially allowing unauthorized access to server management interfaces.

The cPanel security team has released urgent patches. Server administrators are strongly advised to update their systems immediately to prevent exploitation.

Vulnerability Details

The vulnerability allows an attacker to bypass authentication mechanisms by injecting malicious security tokens. This can lead to full server compromise if the management ports (2083, 2087, 2095, 2096) are exposed to the public internet.

  • CVE ID: CVE-2026-41940
  • Severity: Critical
  • Affected Versions: All versions from 11.40 up to the latest unpatched releases.

Patched Versions

The following versions contain the fix for this vulnerability. Ensure your server is running at least one of these builds:

  • cPanel & WHM: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, 11.134.0.20
  • WP Squared: 136.1.7

Required Actions

1. Update Immediately

Force an update to the latest patched version using the following command as root:

/scripts/upcp --force

2. Verify and Restart Services

After the update, verify your version and restart the cPanel service:

/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd

3. Mitigation (If Update is Not Possible)

If you cannot update immediately, you must block inbound traffic on the following ports at your firewall:

  • 2083, 2087, 2095, 2096

Alternatively, stop the vulnerable services:

whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && \
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && \
/scripts/restartsrv_cpsrvd --stop && \
/scripts/restartsrv_cpdavd --stop

Detection: Check for Indicators of Compromise (IOC)

The following script can be used to scan for compromised session files on your server. Save this as ioc_check.sh and run it with /bin/bash ioc_check.sh.

#!/bin/bash
# N4R Security - cPanel Session Integrity Scanner
SESSIONS_DIR="/var/cpanel/sessions"
COMPROMISED=0

echo "[*] Scanning session files for injection indicators..."

for session_file in "$SESSIONS_DIR"/raw/*; do
    [ -f "$session_file" ] || continue
    session_name=$(basename "$session_file")
    preauth_file="$SESSIONS_DIR/preauth/$session_name"

    if grep -q '^token_denied=' "$session_file" && \
       grep -q '^cp_security_token=' "$session_file"; then
        
        if grep -q '^origin_as_string=.*method=badpass' "$session_file"; then
            echo "[!] CRITICAL: Exploitation artifact detected in $session_file"
            COMPROMISED=1
        fi
    fi

    if [ -f "$preauth_file" ] && grep -qE '^successful_external_auth_with_timestamp=' "$session_file"; then
        echo "[!] CRITICAL: Injected session detected: $session_file"
        COMPROMISED=1
    fi
done

if [ "$COMPROMISED" -eq 1 ]; then
    echo "[!] ACTION REQUIRED: Indicators of compromise detected!"
else
    echo "[+] No obvious indicators of compromise found."
fi

Stay Safe. The N4R Security Team continues to monitor this situation. Ensure your automated updates are enabled to receive the latest security patches.

Was this insightful?

Don't miss our upcoming deep dives and free tools.