Critical Vulnerability Alert: CVE-2026-41940 in cPanel, WHM, and WP Squared
A critical vulnerability CVE-2026-41940 has been identified in cPanel, WHM, and WP Squared, affecting cPanel & WHM versions after 11.40, as well as WP Squared. These web hosting control panels are commonly used to manage websites, email, databases, and server configurations, making unauthorized access a serious security concern.
CVE-2026-41940 carries a CVSS score of 9.8 (Critical) and a Bitsight Dynamic Vulnerability Exploit (DVE) score of 9.3, signaling both severe technical risk and elevated real-world threat activity. The vulnerability can be exploited remotely over the network, requires low attack complexity, and does not require privileges or user interaction.
According to Bitsight Threat Intelligence
Bitsight Threat Intelligence indicates active exploitation of CVE-2026-41940 in the wild. A public proof-of-concept (PoC) is now available, which may increase the likelihood of broader exploitation. There is currently no known exploit kit or Metasploit module associated with this vulnerability, and it is not trending on GitHub. There is no confirmed association with APT activity based on available intelligence.
CVE-2026-41940 overview
This vulnerability allows unauthenticated remote attackers to bypass authentication mechanisms in cPanel, WHM, and WP Squared. Successful exploitation may allow unauthorized access to the control panel, bypass MFA protections, and potentially grant root-level control over affected servers and hosted domains.
Exploitation activity has been observed prior to patch availability, with reports indicating execution attempts as early as February 23, 2026\. Internet-facing environments are especially important to review, as the vulnerability can be exploited remotely without valid credentials.
CVE-2026-41940 technical overview
- Vulnerability Type: Authentication Bypass
- Affected Products: cPanel, WHM, WP Squared
- Affected Versions: Versions after 11.40
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Technical Root Cause: CRLF injection in the session handling logic of the
cpsrvddaemon, allowing specially crafted HTTP Authorization headers to manipulate server-side session files prior to authentication - Potential Impact: Authentication and MFA bypass, unauthorized administrative access, root-level control over affected servers, sensitive data exposure, and control over hosted domains
- CVSS Score: 9.8 (Critical)
- DVE Score: 9.3 (Bitsight intelligence scoring)
Why this matters
This vulnerability is particularly dangerous because it allows remote attackers to gain unauthorized access without requiring credentials or any user interaction. It has already been observed being exploited in the wild, including prior to the release of patches, which increases the urgency for remediation. The availability of public PoC material may further accelerate widespread exploitation. Given that cPanel and WHM environments often manage multiple services and sensitive data, a successful compromise could have significant downstream impact. Additionally, the widespread internet exposure of cPanel environments increases the risk of broad exploitation, although the total number of vulnerable instances remains unknown.
CVE-2026-41940 impact to organizations
Organizations using affected versions of cPanel, WHM, and WP Squared may face:
- Unauthorized access to control panel environments
- Exposure of sensitive system or customer data
- Unauthorized configuration changes
- Potential control over affected systems
- Operational disruption during investigation and remediation
Recommendations
- Immediate patch application
Update all affected systems to the latest versions that address this vulnerability:
cPanel/WHM 11.110.0 → 11.110.0.97
cPanel/WHM 11.118.0 → 11.118.0.63
cPanel/WHM 11.126.0 → 11.126.0.54
cPanel/WHM 11.132.0 → 11.132.0.29
cPanel/WHM 11.134.0 → 11.134.0.20
cPanel/WHM 11.136.0 → 11.136.0.5
WP Squared 11.136.1 → 11.136.1.7
- After applying updates, restart the
cpsrvdservice to ensure patches are fully applied.
- Temporary mitigation (if patching is not immediately possible)
Block external access to ports 2083, 2087, 2095, and 2096
Alternatively, stop thecpsrvdandcpdavdservices until remediation is completed
- Enhanced security monitoring
Monitor for:- Unusual login attempts
- Unauthorized access patterns
- Unauthorized configuration changes
- Repeated failed login attempts
- Threat hunting and log analysis
Review logs for:- Access from unusual IP addresses
- Access at unusual times
- Suspicious login activity
- Indicators of unauthorized control panel access
- Incident response readiness
If compromise is suspected:- Isolate affected systems
- Purge active sessions
- Reset all credentials
- Audit logs and investigate persistence mechanisms
- Restore systems from known-good states if necessary
Threat landscape & context
CVE-2026-41940 is notable due to the combination of critical severity and confirmed exploitation in the wild, including activity observed prior to the release of patches. The availability of technical details and PoC material are now publicly available and may further increase exploitation attempts.
Given the widespread deployment of cPanel and related technologies, organizations should prioritize visibility into exposed systems and ensure timely remediation.
How Bitsight Threat Intelligence can help
- External Risk Identification: Identify exposed systems that may be affected by CVE-2026-41940
- Threat Monitoring: Track exploit activity and threat trends
- Attack Surface Visibility: Help organizations understand externally exposed assets
- Third-Party Risk Insights: Assess vendor and supply chain exposure
- Actionable Intelligence: Translate technical risk into clear business impact
CVE-2026-41940 is a critical authentication bypass vulnerability with confirmed exploitation in the wild. Organizations using affected cPanel, WHM, and WP Squared versions should prioritize patching, strengthen access controls, and monitor for suspicious activity.
To learn more about CVE-2026-41940 or speak with a Bitsight TI expert, contact us today
