Critical Vulnerability Alert: CVE-2026-41940 in cPanel, WHM, and WP Squared
A critical vulnerability CVE-2026-41940 has been identified in cPanel, WHM, and WP Squared, affecting cPanel & WHM versions after 11.40, as well as WP Squared. These web hosting control panels are commonly used to manage websites, email, databases, and server configurations, making unauthorized access a serious security concern.
CVE-2026-41940 carries a CVSS score of 9.8 (Critical) and a Bitsight Dynamic Vulnerability Exploit (DVE) score of 9.3, signaling both severe technical risk and elevated real-world threat activity. The vulnerability can be exploited remotely over the network, requires low attack complexity, and does not require privileges or user interaction.
According to Bitsight Threat Intelligence
Bitsight Threat Intelligence indicates active exploitation of CVE-2026-41940 in the wild. A public proof-of-concept (PoC) is now available, which may increase the likelihood of broader exploitation. There is currently no known exploit kit or Metasploit module associated with this vulnerability, and it is not trending on GitHub. There is no confirmed association with APT activity based on available intelligence.
CVE-2026-41940 overview
This vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms in cPanel, WHM, and WP Squared. Successful exploitation may allow unauthorized access to the control panel, bypass MFA protections, and potentially grant root-level control over affected servers and hosted domains.
Exploitation activity has been observed prior to patch availability, with reports indicating execution attempts as early as February 23, 2026\. Internet-facing environments are especially important to review, as the vulnerability can be exploited remotely without valid credentials.
Vulnerability Details
Technical Root Cause
CRLF injection in the session handling logic of the cpsrvd daemon, allowing specially crafted HTTP Authorization headers to manipulate server-side session files prior to authentication.
Attack Scenario
- Remote attacker sends crafted HTTP request with malicious Authorization header
- CRLF injection manipulates session file before authentication check
- Session file modified to bypass authentication verification
- Attacker gains unauthorized access as administrative user
- Full control over cPanel environment and hosted domains
Potential Impacts
- Authentication Bypass: Complete circumvention of MFA and credential requirements
- Unauthorized Administrative Access: Attacker operates with full admin privileges
- Root-Level Control: Potential for system-level compromise
- Data Exposure: Access to all hosted customer data and sensitive configuration
- Domain Control: Modification of DNS records, email routing, and hosted content
- Operational Disruption: Widespread impact during investigation and recovery
Why This Matters
This vulnerability is particularly dangerous because:
- No credentials or MFA bypass required — purely network-based
- Active exploitation observed in the wild
- Public PoC material accelerates adoption by threat actors
- cPanel environments typically manage multiple services and sensitive data
- Widespread internet exposure increases attack surface
- Downstream impact on all hosted domains and customers
Patch Versions
| Product | Patched Version |
|---|---|
| cPanel/WHM 11.110.0 | → 11.110.0.97 |
| cPanel/WHM 11.118.0 | → 11.118.0.63 |
| cPanel/WHM 11.126.0 | → 11.126.0.54 |
| cPanel/WHM 11.132.0 | → 11.132.0.29 |
| cPanel/WHM 11.134.0 | → 11.134.0.20 |
| cPanel/WHM 11.136.0 | → 11.136.0.5 |
| WP Squared 11.136.1 | → 11.136.1.7 |
Remediation Timeline
cpsrvd service to ensure patches are fully applied and active.Recommended Actions
- Patch all affected cPanel/WHM/WP Squared systems
- Restart cpsrvd service to activate patches
- Verify patch installation completed successfully
- Enable enhanced security monitoring and alerting
- Reset all administrative credentials as precaution
- Purge all active sessions to force re-authentication
- Review access logs for indicators of compromise
- Conduct full forensic analysis of logs spanning pre-patch period
- Hunt for persistence mechanisms or backdoors
- Verify integrity of hosted domains and configurations
- Validate backup integrity and test restoration procedures
Threat landscape & context
CVE-2026-41940 is notable due to the combination of critical severity and confirmed exploitation in the wild, including activity observed prior to the release of patches. The availability of technical details and PoC material are now publicly available and may further increase exploitation attempts.
Given the widespread deployment of cPanel and related technologies, organizations should prioritize visibility into exposed systems and ensure timely remediation.
How Bitsight Threat Intelligence can help
- External Risk Identification: Identify exposed systems that may be affected by CVE-2026-41940
- Threat Monitoring: Track exploit activity and threat trends
- Attack Surface Visibility: Help organizations understand externally exposed assets
- Third-Party Risk Insights: Assess vendor and supply chain exposure
- Actionable Intelligence: Translate technical risk into clear business impact
CVE-2026-41940 is a critical authentication bypass vulnerability with confirmed exploitation in the wild. Organizations using affected cPanel, WHM, and WP Squared versions should prioritize patching, strengthen access controls, and monitor for suspicious activity.
To learn more about CVE-2026-41940 or speak with a Bitsight TI expert, contact us today