Critical cPanel Vulnerability Lets Attackers Bypass Login, Gain Root Access

Summary

A critical vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel and WHM affects all versions and allows attackers to bypass login entirely and gain root access through CRLF injection in the whostmgrsession cookie. Active exploitation was confirmed since late February 2026, weeks before WebPros International released patches on April 28, 2026. Administrators are urged to update immediately and audit logs for unauthorized access.

Full text

SecurityCritical cPanel Vulnerability Lets Attackers Bypass Login, Gain Root Access A critical cPanel vulnerability lets attackers bypass login and gain root access, with active exploitation reported before patches were released. byDeeba AhmedMay 1, 20262 minute read Cybersecurity researchers at watchTowr Labs have reported a critical security vulnerability in cPanel and WHM (Web Host Manager) a software suite used to manage over 70 million websites globally. For your information, WHM is used for server-wide administration and cPanel is for individual website owners, and this vulnerability , tracked as CVE-2026-41940, allows hackers to bypass the suite’s login screens entirely to gain root access. The risk is unmistakable given that CVE-2026-41940 has a CVSS score of 9.8 and affects all cPanel versions, even EoL (End-of-Life). And, this isn’t a theoretical threat because several hosting providers like KnownHost found this flaw being exploited as 0-day since late February 2026. That means servers got compromised two months before an urgent patch was released by cPanel developer WebPros International L.L.C. on 28 April 2026.. Breaking the login system This issue is basically a Missing Authentication for Critical Function error found in a service called cpsrvd (the cPanel service daemon) that handles logins. So, when a user needs to log in, the server makes a file at /var/cpanel/sessions/raw/ for tracking the request. According to watchTowr Labs research, a hacker can manipulate the whostmgrsession cookie by removing a specific segment of its value, and avoid the server’s encryption process applied to user’s data. The hacker must break the line of data to insert a new one, by sending a specific Authorization: Basic header with ‘new line’ characters (\r\n). And, since the system didn’t use its filter_sessiondata tool (a security feature that cleans user input) at the right time, those new lines get written into the session files. This is called CRLF Injection (Carriage Return Line Feed). Now, that’s a dangerous situation because through this a hacker can write their own data into the server’s records. For example, by adding a line like hasroot=1, they can convince the system that they are already logged in as the administrator. Forcing the fake login Getting the server to actually trust this fake data required one more step, researchers explained. cPanel usually loads sessions from a fast cache (a temporary storage area for quick access) and ignores the raw files. So, to bypass this, researchers found they could target specific parts of the software without using a security token. This essentially triggers a function called do_token_denied that forces the server to run the Modify::new and Modify::save commands. Now, this makes the server read the corrupted file and save it into the main cache, and when that happens, the hacker gets full root access without needing a password. “According to cPanel, this vulnerability affects – and we cannot stress this enough – all currently supported versions of cPanel & WHM. Not some, or a few, or a specific release track,” researchers noted. https://storage.ghost.io/c/a0/dc/a0dcbbe4-0ae7-4d7e-90f7-ebbc3a0f5a84/content/media/2026/04/whm-demo.mp4 watchTowr’s demo Update Details If you manage a server, check your software version immediately. The fix is included in these updates: 110.0.x: 11.110.0.97 118.0.x: 11.118.0.63 126.0.x: 11.126.0.54 132.0.x: 11.132.0.29 134.0.x: 11.134.0.20 136.0.x: 11.136.0.5 The watchTowr team also released a Detection Artifact Generator on GitHub for users’ ease available here. Remember, since hackers have been active for weeks, just updating the software might not be enough, so, you must check your logs for signs of unauthorised access. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts 0dayCriticalCybersecurityEOLVulnerabilityWHM Leave a Reply Cancel reply View Comments (0) Related Posts Read More Scams and Fraud Security SMS Scam Uses Elon Musk’s Name to Sell Fake Energy Devices to US Users Fake Elon Musk endorsements are used in SMS campaigns to sell bogus energy-saving devices. Learn how to spot… byDeeba Ahmed Read More Security Apple Apple’s macOS Sequoia Update Breaks Security Tools Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions… byDeeba Ahmed Read More Security CISA Urges Patching Microsoft SharePoint Vulnerability (CVE-2023-24955) Critical Microsoft SharePoint Flaw Exploited: Patch Now, CISA Urges! byDeeba Ahmed Malware Security Old crypto malware makes come back, hits Windows, Linux devices LemonDuck was first discovered in China in 2019 as a cryptocurrency botnet that used affected systems for Monero mining. byDeeba Ahmed

Indicators of Compromise

• cve — CVE-2026-41940

Entities