CVE-2026-41940
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WebPros | cPanel | 11.40.0.0 < 11.86.0.41 | affected |
| WebPros | cPanel | 11.88.0.0 < 11.94.0.28 | affected |
| WebPros | cPanel | 11.96.0.0 < 11.102.0.39 | affected |
| WebPros | cPanel | 11.104.0.0 < 11.110.0.97 | affected |
| WebPros | cPanel | 11.112.0.0 < 11.118.0.63 | affected |
| WebPros | cPanel | 11.120.0.0 < 11.124.0.35 | affected |
| WebPros | cPanel | 11.126.0.0 < 11.126.0.54 | affected |
| WebPros | cPanel | 11.128.0.0 < 11.130.0.19 | affected |
| WebPros | cPanel | 11.132.0.0 < 11.132.0.29 | affected |
| WebPros | cPanel | 11.134.0.0 < 11.134.0.20 | affected |
| WebPros | cPanel | 11.136.0.0 < 11.136.0.5 | affected |
| WebPros | WP Squared | 11.136.1.7 | unaffected |
| WebPros | WHM | 11.40.0.0 < 11.86.0.41 | affected |
| WebPros | WHM | 11.88.0.0 < 11.94.0.28 | affected |
| WebPros | WHM | 11.96.0.0 < 11.102.0.39 | affected |
| WebPros | WHM | 11.104.0.0 < 11.110.0.97 | affected |
| WebPros | WHM | 11.112.0.0 < 11.118.0.63 | affected |
| WebPros | WHM | 11.120.0.0 < 11.124.0.35 | affected |
| WebPros | WHM | 11.126.0.0 < 11.126.0.54 | affected |
| WebPros | WHM | 11.128.0.0 < 11.130.0.19 | affected |
| WebPros | WHM | 11.132.0.0 < 11.132.0.29 | affected |
| WebPros | WHM | 11.134.0.0 < 11.134.0.20 | affected |
| WebPros | WHM | 11.136.0.0 < 11.136.0.5 | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: total
Additional References
- https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940
CVE Program Container
Additional References
- https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
- https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
References
- https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- https://docs.cpanel.net/release-notes/release-notes
- https://docs.wpsquared.com/changelogs/versions/changelog/#13617
- https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
- https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.