Live Chat

Domain Scan

(empty)

Login


CVE-2026-41940: Critical cPanel/WHM Authentication Bypass Vulnerability and How to Fix It Immediately
(05-May-2026)

CVE-2026-41940: Critical cPanel/WHM Authentication Bypass Vulnerability and How to Fix It Immediately

A critical security vulnerability identified as CVE-2026-41940 has been officially disclosed by cPanel. This issue affects multiple versions of cPanel and WHM and poses a serious risk to servers that are not updated immediately.

If you are managing a VPS, dedicated server, or reseller hosting environment, this is something you must act on right now.

What is CVE-2026-41940?

CVE-2026-41940 is an authentication bypass vulnerability found in cPanel and WHM systems.
In simple terms:
Attackers can manipulate how cPanel handles login sessions, potentially allowing them to:
  • Bypass authentication
  • Inject unauthorized session data
  • Gain elevated (even root-level) access

Why this Vulnerability is Dangerous

This is considered a high-severity security issue because it directly impacts the authentication layer of cPanel, which is one of the most critical security components of any hosting server. Normally, cPanel verifies whether a user is authenticated before granting access. However, this vulnerability allows attackers to trick the system into believing they are already logged in.
Possible Risks:
  • Unauthorized WHM/root access
  • Website defacement or malware injection
  • Data leaks and customer information exposure
  • Persistent backdoors on your server
In short: Your entire hosting environment could be compromised.

What Caused the Issue?

This vulnerability is related to how cPanel manages session files.
Normally:
  • Session files store login state securely
  • Authentication markers are validated properly
With this vulnerability, attackers can inject fake session data such as:
  • tfa_verified=1
  • hasroot=1
  • Fake authentication timestamps
This tricks the system into believing the attacker is already authenticated.

Affected Versions and Patch Details

cPanel has already released security patches for multiple versions, including:
  • 11.86.0.41
  • 11.94.0.28
  • 11.102.0.39
  • 11.110.0.97
  • 11.118.0.63
  • 11.124.0.35
  • 11.126.0.54
  • 11.130.0.19
  • 11.132.0.29
  • 11.134.0.20
  • 11.136.0.5
WP Squared fix:
  • 136.1.7
Legacy systems (CentOS 6 / CloudLinux 6):
  • 11.110.0.103

How to Fix CVE-2026-41940

Fixing CVE-2026-41940 is time-sensitive. You should apply the patch immediately and verify your server is secure.

Step 1: Update cPanel Immediately

The vulnerability has already been patched by cPanel, so the most important step is to update your server to a secure version.
Make sure your server updates to one of the patched versions mentioned earlier.
Run the following command to update cPanel:
/scripts/upcp --force

What this does:
  • Forces cPanel to check for updates
  • Downloads and installs the latest secure version
  • Applies the security patch for CVE-2026-41940

Step 2: Verify the Installed Version

After the update, you need to confirm that your server is actually running a patched version.

Run the following command to verify the installed cPanel version:
/usr/local/cpanel/cpanel -V

What to check:
  • The returned version should match one of the patched versions
  • If not, the update may not have completed successfully
Make sure to verify that the update has been successfully completed and that your server is running a patched version.

Step 3: Restart cPanel Services

Once the update is complete, restart the cPanel service to ensure all changes are properly applied.

Run the following command to restart cPanel services:
/scripts/restartsrv_cpsrvd --hard

Note: Please note that servers with cPanel updates disabled or set to a fixed version will not receive automatic updates. Kindly identify such servers and perform the necessary updates manually as a priority.


Temporary Mitigation (If You Cannot Update Immediately)

If you are unable to update right away (not recommended), apply temporary protection to reduce risk.
Ensure SSH access is enabled, configured on a custom port, and working before proceeding. Once you block the required ports or stop cPanel services, you will lose access to WHM, cPanel, and Webmail interfaces. SSH will be your only method to access and manage the server during this period.

Option 1: Block cPanel Ports via Firewall
Block the following ports:
  • 2083 (cPanel)
  • 2087 (WHM)
  • 2095 / 2096 (Webmail)

Option 2: Stop cPanel Service
Run the following commands to stop cPanel service:
/scripts/restartsrv_cpsrvd --stop
/scripts/restartsrv_cpdavd --stop

Important:
  • This will restrict access to cPanel/WHM
  • This should only be used as a temporary emergency measure.


How to Check If Your Server is Compromised and Fix It

To identify whether your server has been affected by CVE-2026-41940, you can use the official detection script provided by cPanel.
Follow the steps below to scan, analyze, and take action.

Step 1: Navigate to Root Directory

Log in to your WHM account, access the Terminal, and run the following command:
cd /root

Step 2: Create the Script File

vi ioc_checksessions_files.sh

Then:
  1. Press i to enter insert mode
  2. Copy and paste the official detection script from cPanel's support documentation.
  3. Save and exit. (Press Esc button => Type :wq => Press Enter)

Step 3: Run the Script

bash ioc_checksessions_files.sh
Optional: Save Output to a File
If the output is longer than your terminal limit:
bash ioc_checksessions_files.sh >> ioc_checksessions_files_result.txt

Step 4: How to Interpret Results

After running the detection script, you will receive a scan summary. Use the following examples to understand the results.

No Issue Detected

CRITICAL findings: 0
WARNING findings: 0
ATTEMPT findings: 10
INFO findings: 0
Total: 10

This indicates:
  • No confirmed compromise
  • Some attempted activity (common for public servers)
  • No immediate action required

Needs Investigation

CRITICAL findings: 1
WARNING findings: 0
ATTEMPT findings: 1
INFO findings: 0
Total: 2

This indicates:
  • Possible or confirmed exploitation
  • Immediate investigation is required

Additional Checks

If suspicious activity is detected, perform the following checks:

Review Session Files

/var/cpanel/sessions
  • Check for abnormal session entries or unauthorized modifications.

Check Logs

/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/login_log
Look for:
  • Unknown or suspicious IP addresses
  • Unusual login attempts
  • Repeated or abnormal requests

Critical Actions to Take Immediately

  1. Terminate Sessions

    • Password reset will automatically log out active sessions
    • cPanel sessions expire automatically after 24 hours
    • Manual session removal should be done carefully to avoid affecting active services

  2. Reset All Passwords

    • Root password
    • All WHM user passwords
    • All cPanel user passwords

  3. Run a Virus/Malware Scan on the Server

    Perform a full server scan to detect malicious files or hidden threats.
    • ClamAV
    • ImunifyAV / Imunify360

  4. Check for Persistence Mechanisms

    • Cron jobs (scheduled malicious tasks)
    • SSH authorized keys
    • Backdoors or unknown scripts

If Root Compromise is Confirmed

If your server shows signs of root-level compromise, it is critical to act immediately and treat the system as untrusted. You should consult a qualified system administrator or security professional to properly assess the situation and guide the recovery process. Avoid relying on partial fixes, as they may leave hidden access points or backdoors that can be exploited again.
If the system cannot be fully trusted or thoroughly cleaned after investigation, the safest approach is to migrate all cPanel accounts to a known clean server. Alternatively, you should perform a complete operating system reinstall and restore data only from verified clean backups to ensure the environment is secure.

Conclusion

CVE-2026-41940 highlights how a flaw in a core component like authentication can put an entire hosting environment at risk. Because this vulnerability allows attackers to bypass login mechanisms and manipulate session data, it can quickly lead to full server compromise if left unpatched. This makes timely updates and proper verification not just important, but essential.
The key takeaway is simple: update immediately, verify the patch, and always check for signs of compromise. Even after fixing the vulnerability, running detection checks and performing a thorough security review ensures your server remains secure. Staying proactive with updates and monitoring is the best way to protect your infrastructure and your customers.

Don't wait - secure your server now before it becomes a target.


Written by: Register.lk Support Hero - Shamendra


Related Articles

Repeated Malware Infections in Hosting Accounts: Causes and Permanent Solutions
Repeated Malware Infections in Hosting Accounts: Causes and Permanent Solutions
Why You Should Not Use Unauthorized WordPress Plugins and Themes
Why You Should Not Use Unauthorized WordPress Plugins and Themes
Why You Should Enable Two Factor Authentication for Your Accounts
Why You Should Enable Two Factor Authentication for Your Accounts
New Malware Alert*: Targeting WordPress Websites on Shared Hosting Servers
New Malware Alert*: Targeting WordPress Websites on Shared Hosting Servers
BACK 2 BLOG