- cPanel patched a critical authentication bypass (CVE-2026-41940, CVSS 9.8) on April 28 — but evidence suggests attackers were exploiting it since at least February 23.
- The flaw lets unauthenticated attackers inject root-level sessions via a CRLF injection in the login process, giving them full control over every site and database on a server.
- cPanel manages an estimated 70 million domains across millions of servers; patches dropped today for all supported versions.
A critical authentication bypass in cPanel and WebHost Manager (WHM) — the web hosting control panels that sit behind a large slice of the internet — got emergency patches on April 28, 2026. The problem: attackers may have been exploiting the flaw undetected for months before that. A Shodan query returns roughly 1.5 million cPanel instances exposed to the public internet, each one a potential entry point.
CVE-2026-41940 carries a CVSS score of 9.8 out of 10, placing it firmly in “catastrophic” territory. The vulnerability stems from a missing authentication check in cpsrvd, the cPanel service daemon, before it writes a session file to disk. Attackers inject raw carriage return and line feed characters — the CRLF in HTTP terminology — via a malicious basic authorization header. The session file gets written with attacker-supplied properties, including user=root. After triggering a session reload, the attacker has root. Full root. On every site and database that server manages.
“Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom,” wrote security firm watchTowr in its technical analysis. “If the kingdom were the internet and the apartments were websites. For everything.”
How the Attack Works
Exploitation isn’t technically demanding. According to Rapid7 researcher Ryan Emmons, an attacker creates a session cookie by completing a failed login attempt, then sends a request with a specially crafted header telling the system to escalate privileges to root. That cookie then grants full administrative access to cPanel and WHM — bypassing every authentication mechanism the software has. “Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages,” warned Rapid7. The patch, released April 28 for all supported versions prior to it, fixes the session loading and saving logic. WP Squared, cPanel’s WordPress hosting platform, is also affected.
The disclosure timeline has drawn scrutiny. According to sources cited by webhosting.today, the vulnerability was reported to cPanel approximately two weeks before the April 28 advisory. cPanel’s initial response, per those sources: nothing was wrong. The company published its advisory and released patches hours later — but by then, evidence of in-the-wild exploitation had already surfaced. KnownHost CEO Daniel Pearson said his team was notified around the same time the advisory dropped, prompting an immediate block of WHM/cPanel login ports and rapid deployment of the patches across their network.
watchTowr published a technical analysis and proof-of-concept exploit on April 29. Security researchers have speculated exploitation may have started as early as February 23, 2026 — a two-month window where attackers had root-level access to servers and no one noticed. Whether that timeline is accurate is still being determined, but the implication is uncomfortable either way: the gap between when attackers likely got in and when patches arrived was measured in months, not days.
The Scale of What’s at Stake
cPanel and WHM are foundational infrastructure for shared web hosting. The software handles website management, databases, email configurations, domain transfers, and file transfers — everything a hosting provider’s customer needs. WHM adds a superadmin layer, letting providers manage hundreds or thousands of cPanel accounts from a single interface. Breaking into it doesn’t just compromise one website; it compromises the entire server, and every site and database on it. The urgency mirrors events from earlier this week, when Treasury Secretary Bessent and Fed Chair Powell called in bank CEOs after AI security research revealed critical infrastructure vulnerabilities. A single compromised hosting provider could mean millions of visitor records, payment data, and private communications up for grabs.
The healthcare sector has felt this acutely in 2026. A ransomware attack on Sandhills Medical in New Mexico exposed the data of 170,000 patients in April alone. Globally, healthcare organizations have seen a surge in attacks — Comparitech tracked a significant increase in Q1 2026, with ransomware groups increasingly targeting the sector for the high value of medical records on the black market. A compromised hosting provider is a supply chain attack waiting to happen: the same server that hosts a hospital’s patient portal might also host the billing software for a law firm and the email server for a city government. Earlier this month, security researchers found a bug in the Vect ransomware that corrupted files beyond recovery — a reminder that attackers face their own technical failures.
Whether the cPanel vulnerability was a vector in any of those healthcare breaches is unknown. What is known is that the exploit is now public, the patches are available, and the window for defenders to act is narrowing. The Register reported emergency patches were out by April 30, and the race to patch before the proof-of-concept gets weaponized at scale is now the defining urgency for every hosting provider on the planet still running unpatched cPanel. Security researchers at watchTowr have made their technical analysis public — which means the barrier to exploitation is now zero. Any script kiddie with a copy of the PoC and a list of unpatched servers can run the attack.
The patch is available now. The question is how many of the 1.5 million exposed instances will get it before someone uses this to become root.
