Dear Valued Client,
On 28 April 2026, cPanel officially disclosed a critical-severity vulnerability (CVE-2026-41940) affecting all currently supported cPanel/WHM installations. Given the severity of the matter, we wanted to share this advisory directly with you.
Nature of the Vulnerability
The flaw is an authentication bypass in the cPanel/WHM login flow. Independent security researchers classified it as CWE-306 (Missing Authentication for Critical Function). The CVSS score has been assessed as CRITICAL under both 3.1 and 4.0 (9.3–9.8 range).
How It Came About
The vulnerability stems from an inconsistency between the multiple authentication paths that have been added to the cPanel login flow over the years. A specially crafted HTTP request can obtain a valid session token without ever performing real authentication, effectively making the system mint a fully privileged admin session for an unauthenticated client. Such logic flaws typically reach production when auxiliary authentication paths (Basic Auth, fallback flows, etc.) are inadvertently exempted from the authorisation layer during interface refactors.
How It Can Be Exploited
- The attacker only needs network access to the target server's cPanel/WHM ports (TCP 2082/2083/2086/2087).
- No valid username, password, API token, or user interaction is required.
- The crafted request manipulates the session mechanism in the login flow and yields a privileged admin session directly.
- The privileged session grants full access to the cPanel/WHM control panel and can be escalated to remote code execution (RCE) on the underlying server.
A working proof-of-concept (PoC) has already been published by independent security researchers, which means the active exploitation window is open.
Our Side
The servers used in the cPanel hosting services provided by MKWServer are running the patched version 11.134.0.20; the related services are not affected by this vulnerability.
Action We Ask of You
If you operate your own cPanel/WHM-based servers, please urgently ensure that you have upgraded to one of the following patched version lines:
11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5
Additional recommended steps:
- Confirm that automatic cPanel updates are enabled under WHM > Update Preferences.
- Until the update is applied, restrict access to your cPanel/WHM management ports (2083, 2087) to trusted IP addresses where possible.
- After the upgrade, briefly review your server logs for unusual admin sessions, unexpected API calls, or newly created accounts.
Official references:
- cPanel Security Bulletin (28 April 2026): https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41940
We wanted to flag this matter to you proactively. Please feel free to reach out if you need any further support.
