A critical vulnerability in cPanel exposes the entire server without requiring a single login

30.4.2026 | Autor: Top privacy
6

The critical vulnerability CVE-2026-41940 in cPanel & WHM allows an attacker to gain root access without a password. Patches are available — find out what you need to do immediately.

A critical vulnerability in cPanel exposes the entire server without requiring a single login

A vulnerability that exposes the entire server without a password

Alarm bells are ringing in the global web hosting community. A critical vulnerability in the cPanel & WHM software, designated CVE-2026-41940, has been confirmed to be actively exploited by attackers—and the situation is further complicated by the fact that a publicly available proof-of-concept (PoC) exploit dramatically lowers the barrier to entry for any attacker. cPanel’s official security advisory was published on April 28, 2026, and updated multiple times within 48 hours—which in itself indicates the speed at which the situation is evolving.

What an attacker can do

The vulnerability is located in the cPanel & WHM authentication layer, including DNSOnly deployments. The attack can be carried out in four steps: The attacker establishes a pre-authentication session, injects a CRLF payload to obtain a valid session token, extends the token into the server cache, and finally gains full WHM root access—the entire process occurs without any valid login credentials. The result is uncontrolled access not only to a single website but to the entire server environment, including all domains, email accounts, databases, and file systems.

Who Is Affected

The vulnerability affects all versions of cPanel & WHM after version 11.40—which represents an enormous attack surface, since cPanel is one of the most widely used web hosting management tools in the world. In practice, this means that web hosting providers, VPS server owners, e-commerce site operators, and any organization that manages websites or email services via the cPanel interface are at risk. Several global hosting providers have already taken the precautionary step of disconnecting their cPanel interfaces from the internet.

Patches are available; deployment is urgent

cPanel has released emergency patches for several versions of the product. Administrators should immediately run the command /scripts/upcp --force, verify the version, and restart the cpsrvd service. Warning—servers with automatic updates disabled will not receive the patch automatically and represent the highest-risk systems in any environment. If immediate patching is not possible, it is recommended to block ports 2083, 2087, 2095, and 2096 at the firewall level or temporarily stop the cpsrvd and cpdavd services.

What This Means in Practice

The combination of zero-day vulnerability, confirmed active exploitation, and a publicly available exploit makes CVE-2026-41940 one of the most urgent security incidents of the year. Organizations operating cPanel servers should prioritize deploying available patches, check access logs for anomalies, and verify that administrative ports are not unnecessarily exposed to the internet. Servers running unsupported versions of cPanel for which no patch exists must be considered compromised until proven otherwise.

From a personal data protection perspective, it is important to note that successful exploitation of this vulnerability may result in a leak of personal data stored on the server—and thus trigger the obligation to notify the Slovak Data Protection Authority under the GDPR.


OUR SERVICES
Source: Cyber Security News


Top privacy

Top privacy

"High-quality content isn't created by copywriters, but by experts."