VPS Security & Server Management

Critical cPanel Security Flaw CVE-2026-41940 – What VPS Owners Need to Know Right Now

Published by The Orange Club Infrastructure Team | 8 min read

If you manage a VPS running cPanel or WHM, you need to read this. A critical authentication bypass vulnerability was disclosed on April 28-29, 2026, and it affects every supported version of cPanel after 11.40. Attackers can bypass login completely and gain full administrative access to your server. No credentials needed.

Hosting providers have already patched their managed servers. If you manage your own cPanel installation, you are exposed until you update. This is not a “patch when convenient” situation. Proof-of-concept exploits are already public, and active exploitation has been confirmed in the wild.

What CVE-2026-41940 Actually Is

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM software with a CVSS score of 9.8 out of 10. It allows unauthenticated remote attackers to completely bypass the login process and gain full administrative access to your control panel.

In plain terms: an attacker does not need to know your password. They do not need to brute-force anything. They do not need a leaked credential or a phishing email. They send a specially crafted HTTP request to your cPanel login endpoint, and the system grants them root-level administrative access. They can then take control of every website, database, email account, and configuration on your server.

The vulnerability was patched by cPanel on April 28, 2026, but approximately 1.5 to 2 million cPanel instances are still exposed to the internet. Active exploitation has been confirmed, with reports suggesting attackers may have been using this as a zero-day as early as February 2026 – two months before the public disclosure. Read more about the official advisory on the cPanel blog.

How the Authentication Bypass Works

The flaw is caused by a CRLF (Carriage Return Line Feed) injection in the login and session loading processes of cPanel’s service daemon, cpsrvd. Before authentication happens, cPanel writes a new session file to disk. The vulnerability allows an attacker to manipulate the session cookie by injecting raw \r\n characters through a malicious authorization header.

Here is what happens step by step:

• Before you authenticate, cPanel creates a session file on the server
• The attacker sends a crafted request with CRLF characters in the cookie
• cPanel writes the session file without sanitizing the injected data
• The attacker injects arbitrary session properties like user=root directly into their own session file
• cPanel reads the session file and sees user=root – it assumes the session is authenticated
• The attacker now has full administrative access without ever providing valid credentials

The session injection bypasses encryption steps that would normally protect against this type of manipulation. The result is a complete authentication bypass affecting every entry point: cPanel, WHM, Webmail, and Webdisk.

Who Is Affected and Who Is Not

Affected:

• All cPanel & WHM versions after 11.40 – this includes every currently supported version
• DNSOnly installations – even if you only use cPanel for DNS management, you are vulnerable
• WP Squared – the WordPress-optimized cPanel variant
• Self-managed VPS and dedicated servers – if you installed cPanel yourself and manage your own updates, you must patch manually
• Servers with auto-update disabled – if you pinned your cPanel version or disabled automatic updates, you are not protected

Not Affected:

• CloudPanel – completely different software with a different codebase. If you use CloudPanel, you are not affected by this cPanel vulnerability
• Plesk, DirectAdmin, ISPConfig, CyberPanel, Webmin, VestaCP, and other control panels – this is a cPanel-specific flaw
• Managed hosting customers – if your hosting provider manages cPanel updates (InMotion, Namecheap, A2 Hosting, KnownHost, etc.), they have already patched your server
• cPanel versions 11.40 and earlier – technically not affected, but these versions are end-of-life and have other unpatched vulnerabilities. You should still upgrade

If you are running any other VPS control panel like CloudPanel, Plesk, DirectAdmin, or CyberPanel, this vulnerability does not apply to you. This is a cPanel-only issue. If you are considering migrating your website to a different hosting setup or control panel, The Orange Club can help with a smooth transition.

How to Check If You Are Vulnerable

If you manage your own cPanel installation, SSH into your server and run:

This will return your current cPanel build version. Compare it against the patched versions below. If your version number is lower than the patched version for your release track, you are vulnerable and need to update immediately.

You can also check the WHM dashboard. If you see a red warning banner that says “There is a critical security update to cPanel & WHM”, you are running a vulnerable version.

The Fix: Patched Versions

cPanel released emergency patches for all supported versions. Update to one of the following versions immediately:

• 11.86.0.41
• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.130.0.19
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

Additionally, WP Squared version 136.1.7 includes the fix.

How to Update

Run the official cPanel update script with the force flag:

This forces an immediate update to the latest patched version. Once the update completes:

• Verify the new version:
  /usr/local/cpanel/cpanel -V
• Restart the cPanel service:
  /scripts/restartsrv_cpsrvd

The update typically takes 10 to 20 minutes. Your websites remain online during the update, but cPanel/WHM access may be temporarily unavailable. If you need help with server management and software deployment, our team can assist.

Temporary Mitigations If You Cannot Patch Immediately

If you cannot update right now – for example, if you are waiting for a maintenance window or running compatibility tests – you can implement these temporary mitigations to reduce exposure:

1. Block cPanel Ports at the Firewall

Block inbound traffic on the following TCP ports:

• 2083 – cPanel (SSL)
• 2087 – WHM (SSL)
• 2095 – Webmail (SSL)
• 2096 – Webdisk (SSL)

Using UFW:

Using iptables:

This prevents external access to cPanel entirely. You will not be able to log in to the control panel until you re-enable the ports, but your websites will continue to work normally.

2. Disable cPanel Services

Stop the cPanel and DAV services completely:

This shuts down the control panel interface. Your sites stay online, but you cannot access cPanel/WHM until you re-enable the services.

3. Restrict Access to Known IP Addresses

If you need to keep cPanel accessible but want to limit exposure, allowlist only your own IP addresses:

Replace YOUR_IP_ADDRESS with your actual public IP. This allows you to access cPanel while blocking everyone else.

Important: These mitigations are temporary. They reduce your attack surface but do not fix the vulnerability. You must still apply the official patch as soon as possible.

How to Detect If You Have Already Been Compromised

If your server was exposed before you patched, there is a chance an attacker already exploited the vulnerability. cPanel released a detection script to scan for indicators of compromise.

Run the Detection Script

• Create a new file:
  nano /root/check_exploit.sh
• Paste the detection script from the official cPanel security advisory (available at the cPanel blog)
• Make it executable and run it:
  chmod +x /root/check_exploit.sh /root/check_exploit.sh

The script scans /var/cpanel/sessions for signs of exploitation, including:

• Sessions containing both token_denied and cp_security_token
• Pre-authentication sessions with authenticated attributes
• Sessions marked tfa_verified without legitimate origin markers
• Multi-line password values indicating session file corruption

If the script returns a CRITICAL or WARNING verdict, your server may be compromised.

Cleanup Steps If Compromised

If the detection script flags suspicious activity:

• Purge all sessions:
  rm -rf /var/cpanel/sessions/*
• Force password resets:
  Change the root password immediately:
  passwd
  Change passwords for all WHM users through the WHM interface or via command line.
• Audit logs:
  Review /var/log/wtmp and WHM access logs for unauthorized IP addresses and unusual login patterns.
• Check for persistence mechanisms:
  Scan for unauthorized SSH keys, new cron jobs, backdoor scripts, or modified system files.
• Consider a full security audit:
  If you find evidence of compromise, assume the attacker had root-level access. Review all configurations, users, and installed software.

CloudPanel and Other Control Panels

If you are using CloudPanel, Plesk, DirectAdmin, CyberPanel, ISPConfig, VestaCP, Webmin, or any other VPS control panel, you are not affected by CVE-2026-41940. This is a cPanel-specific vulnerability.

CloudPanel is completely separate software with a different codebase built on NGINX, PHP-FPM, and Node.js. It has no relation to cPanel’s authentication system and is not vulnerable to this flaw.

That said, regardless of which control panel you use, you should still follow general VPS security best practices:

• Keep your operating system and all packages up to date
• Enable and configure your firewall (UFW, iptables, or firewalld)
• Use SSH keys instead of passwords for server access
• Enable two-factor authentication where available
• Restrict control panel access to known IP addresses when possible
• Regularly audit user accounts and remove unused logins