ON April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. CVE-2026-41940, which was assigned on April 29, 2026, has a CVSS score of 9.8 and enables unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to affected systems.
The flaw stems from a CRLF injection in the login and session loading processes, allowing an attacker to influence the session file written by cpsrvd and inject properties such as user=root. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.
KnownHost stated that CVE-2026-41940 is actively being exploited in the wild, with speculation of targeted zero-day exploitation as early as February 23, 2026, prior to public disclosure, and security firm watchTowr has published a technical analysis and a proof-of-concept exploit. For mitigation, organisations should upgrading to fixed versions; some providers have temporarily blocked ports 2083 and 2087 as a workaround, though patching is strongly advised according to the vendor advisories.