What Is CVE-2026-41940?

A critical-severity authentication bypass vulnerability, CVE-2026-41940, has been officially disclosed in cPanel and WHM — one of the most widely used web hosting control panels in the world. This flaw allows an unauthenticated attacker to gain full administrative access to any unpatched cPanel/WHM server without a username, password, or API token.

If your server is running an unpatched version of cPanel/WHM, it is actively at risk right now.

Severity at a Glance

How Does This cPanel Authentication Bypass Work?

The vulnerability originates from a long-standing inconsistency within cPanel’s login flow. Over time, multiple authentication pathways — including Basic Auth and fallback mechanisms — were added to the system. During interface-level refactors, certain auxiliary paths were left outside the main authorization layer, creating a critical gap.

An attacker exploiting CVE-2026-41940 can:

• Send a specially crafted HTTP request to cPanel/WHM management ports
• Obtain a valid, fully privileged admin session token — without any credentials
• Gain complete control of the cPanel/WHM control panel
• Escalate access to achieve Remote Code Execution (RCE) on the server

⚠️ A working Proof-of-Concept (PoC) is already publicly available. Active exploitation is a real and immediate threat.

Who Is Affected?

Any server running a cPanel/WHM version prior to the patched releases and exposed to the internet via ports 2082, 2083, 2086, or 2087 is vulnerable. This includes:

• Shared hosting providers using cPanel/WHM
• VPS and dedicated server operators
• Reseller hosting environments
• Any business or individual self-managing a cPanel/WHM server

Patched Versions — Update Immediately

Upgrade to one of the following officially patched cPanel/WHM versions without delay:

Step-by-Step Mitigation Guide

Step 1 — Apply the Patch Immediately Log into WHM and navigate to WHM > cPanel > Update Preferences and trigger an update to the latest patched build.

Step 2 — Enable Automatic Updates Ensure automatic updates are switched on so future critical patches are applied without delay.

Step 3 — Restrict Port Access Until the patch is confirmed, block public access to ports 2083 and 2087 using your firewall. Allow only trusted, whitelisted IP addresses.

Step 4 — Audit Your Server Logs After upgrading, review your server logs thoroughly. Look for:

• Unfamiliar or unauthorized admin sessions
• Unexpected API calls or token generation events
• Newly created accounts you do not recognize

Step 5 — Monitor for Indicators of Compromise (IoC) If you suspect exploitation has already occurred, isolate the server, preserve logs, and consult a cybersecurity professional immediately.

Are APT COM-Hosted Servers Affected?

No. All servers operating under APTCOM’s cPanel hosting infrastructure have been proactively upgraded to the patched version 11.134.0.20. Our customers on managed cPanel hosting are fully protected and require no action on their part.

Official References

• 🔗 cPanel Security Bulletin – April 28, 2026
• 🔗 NVD – CVE-2026-41940

Frequently Asked Questions (FAQ)

Q: Do I need to patch if my cPanel ports are behind a firewall?

A: Yes. Defense in depth is essential. Port restriction reduces exposure but does not eliminate the vulnerability. Patch regardless.

Q: Can I detect if my server was already compromised?

A: Check admin session logs, API call history, and account creation records immediately after patching.

Q: Is this vulnerability being actively exploited?

A: Yes. A public PoC is available, and active exploitation attempts are highly likely.

Q: What if I cannot update immediately?

A: Restrict ports 2083 and 2087 to trusted IPs as an emergency interim measure and prioritize patching as soon as possible.

Stay secure. Stay informed. Contact our support team if you need assistance.