Security Intelligence
Loading table of contents...
At a glance: Researchers disclosed a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), widely used web hosting control panels. The flaw allows unauthenticated remote attackers to bypass login and gain access to internet-exposed management interfaces, potentially enabling full control over hosting environments and downstream customer websites. While reports of exploitation have surfaced, they remain unconfirmed by the vendor.
Threat summary
On April 29, 2026, researchers published technical details describing a critical authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM).
cPanel and WHM are widely used web hosting control panel platforms. WHM provides server-level administrative access, while cPanel is used by individual hosting customers to manage websites, email, domains, and databases. These platforms are common across shared hosting, managed service providers, web agencies, and enterprise environments.
Any organization operating an internet-exposed cPanel or WHM instance on a vulnerable version is affected, including environments where a single server hosts multiple downstream customer websites.
The flaw, tracked as CVE-2026-41940, allows an unauthenticated remote threat actor to bypass the login flow and gain access to cPanel or WHM interfaces exposed to the internet. Successful exploitation provides access to privileged control panel functions, enabling actions such as managing hosting accounts, modifying files and configurations, and interacting with backend services, depending on deployed permissions.
The worst-case scenario would be full compromise of the hosting management plane for affected servers. The vulnerability is rated as Critical, with a CVSS v3.1 score of 9.8, reflecting low attack complexity, no required privileges, and no user interaction.
Some third-party reports reference exploitation around the time of disclosure; however, the vendor did not issue any confirmation of active exploitation beyond those reports.
cPanel issued emergency security updates on April 28, 2026, addressing CVE-2026-41940 across all supported release tracks. Systems running versions prior to the new releases remain vulnerable.
Analysis
Organizations are advised to identify all cPanel and WebHost Manager deployments, verify installed versions, and apply the vendor security updates released on April 28, 2026.
For environments where patching cannot be completed immediately, cPanel and several hosting providers documented interim risk-reduction measures, including restricting external network access to control panel services and limiting exposure at the firewall or network edge until updates are confirmed to be applied.
Reviewing authentication and access logs can support detection of unexpected control panel activity following remediation.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
