CVE-2026-41940 is a CVSS 9.8 authentication bypass affecting every supported version of cPanel & WHM. A remote unauthenticated attacker can gain root access to the server in two HTTP requests. Exploitation in the wild has been confirmed since at least February 23, 2026. Patch immediately.
What Is the Vulnerability
The flaw lives in cpsrvd‘s session handling. On a failed login, cPanel writes a preauth session file to disk at /var/cpanel/sessions/raw/ before any authentication occurs. That file is a newline-delimited key-value store:
needs_auth=1
user=
ip_address=172.17.0.1
local_port=2087The session data was not sanitized before being written. By injecting raw \r\n characters via a crafted Authorization header, an attacker can append arbitrary key-value pairs — including user=root — into that file. On the subsequent authenticated request using the issued cookie, cPanel reads the session file and grants root access.
The three files modified by the patch:
Cpanel/Session.pm (saveSession — primary fix)
Cpanel/Session/Load.pm (session loader)
Cpanel/Session/Encoder.pm (new hex round-trip primitives)The root cause is that filter_sessiondata() — a sanitizer that strips \r\n=, from session values — already existed, but saveSession relied on each caller to invoke it. The patch moves that call inside saveSession itself, so no caller can bypass it.
Who Is Affected
All cPanel & WHM versions after 11.40. This includes every currently supported release branch. WP Squared (cPanel’s WordPress hosting platform) is also affected.
If you are running an end-of-life version, assume you are vulnerable. No patches will be issued for unsupported builds.
Patching
Run the following as root to force an immediate update:
/scripts/upcp --forceAfter the update completes, confirm your build version in WHM under Server Information, or:
cat /usr/local/cpanel/versionPatched versions by branch:
| Branch | Patched version |
|---|---|
110.0.x | 11.110.0.97 |
118.0.x | 11.118.0.63 |
126.0.x | 11.126.0.54 |
132.0.x | 11.132.0.29 |
134.0.x | 11.134.0.20 |
136.0.x | 11.136.0.5 |
| WP Squared | 136.1.7 |
Interim Mitigation (Pre-Patch)
If you cannot patch immediately, block the cPanel and WHM ports at your firewall. This prevents exploitation without affecting hosted sites, email, or applications — only control panel access is interrupted.
For firewalld:
firewall-cmd --permanent --add-rich-rule='rule port port="2083" protocol="tcp" reject'
firewall-cmd --permanent --add-rich-rule='rule port port="2087" protocol="tcp" reject'
firewall-cmd --permanent --add-rich-rule='rule port port="2095" protocol="tcp" reject'
firewall-cmd --permanent --add-rich-rule='rule port port="2096" protocol="tcp" reject'
firewall-cmd --reloadFor iptables:
iptables -I INPUT -p tcp --dport 2083 -j DROP
iptables -I INPUT -p tcp --dport 2087 -j DROP
iptables -I INPUT -p tcp --dport 2095 -j DROP
iptables -I INPUT -p tcp --dport 2096 -j DROPApply these rules before the patch if your server has any public exposure on those ports. Remove them once the patch is confirmed deployed.
Checking for Compromise
cPanel has published an official detection script. Run it as root:
/usr/local/cpanel/scripts/check_cpanel_rpms --targets=cpanelAdditionally, inspect the raw session directory for anomalous files. Legitimate preauth sessions will not contain user=root:
grep -rl 'user=root' /var/cpanel/sessions/raw/Any result from that grep on an unpatched server is grounds for treating the host as compromised. watchTowr has also published a Detection Artifact Generator for more thorough IOC analysis.
Check your WHM and SSH access logs for root logins that did not originate from your known admin IPs:
grep 'Accepted' /var/log/secure | grep root
last root | head -30Hardening After the Patch
This is a reasonable time to enforce controls that should already be in place:
Restrict WHM (port 2087) to trusted IP addresses only. In WHM: Home > Security Center > Host Access Control, or via /etc/hosts.allow:
cpanel: 198.51.100.10 198.51.100.11Enable two-factor authentication for all WHM accounts: Home > Security Center > Two-Factor Authentication.
Disable root login via cPanel entirely if your workflow does not require it. All administrative actions can be performed through a named reseller account with sudo-equivalent privileges, preserving an audit trail.
The Fine Print
Zero-day exploitation was confirmed as far back as February 23, 2026 — about two months before disclosure. If your server was public-facing on port 2087 during that window without IP restrictions, treat it as potentially compromised regardless of what the detection script returns. A thorough audit of cron jobs, authorized SSH keys, and installed packages is warranted:
crontab -l -u root
cat /root/.ssh/authorized_keys
rpm -Va 2>/dev/null | grep -v '^......G' | head -40 # RPM-based systems
debsums -c 2>/dev/null | head -40 # Debian-based systemsOver 2 million cPanel instances are internet-accessible. If auto-updates were disabled, those servers are still unpatched.
References: cPanel official advisory · watchTowr full disclosure · Rapid7 ETR · NVD CVE-2026-41940
-Eric