🚨 BREAKING

cPanel & WHM Critical Authentication Bypass (CVE-2026-41940)

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityauthentication-bypasscwe-306
cPanel & WHM Critical Authentication Bypass (CVE-2026-41940)

The National Vulnerability Database has disclosed a critical authentication bypass vulnerability, CVE-2026-41940, affecting cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. This flaw exists within the login flow, enabling unauthenticated remote attackers to gain unauthorized access to the control panel with a CVSS score of 9.8 (CRITICAL).

This isn’t just a bug; it’s a direct route into a server’s control plane. An attacker doesn’t need credentials; they just need to hit the login flow correctly. The impact is complete compromise of the cPanel/WHM instance, leading to full control over hosted websites, databases, and potentially the underlying server itself, depending on configuration and privilege separation. This is a nightmare scenario for hosting providers and anyone running cPanel.

Defenders must prioritize patching. The National Vulnerability Database’s assessment indicates that this vulnerability is highly exploitable, requiring no user interaction or prior authentication. The broad range of affected versions suggests a pervasive issue that requires immediate attention across the cPanel ecosystem.

What This Means For You

  • If your organization uses cPanel or WHM, you need to check your version immediately. Patching to a secure version (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 and later) is non-negotiable. This isn't a 'monitor for exploitation' situation; it's a 'patch or get owned' scenario. Audit logs for any unauthorized access attempts prior to patching.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1110.004 Password Guessing: Password Brute Force Credential Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-41940 cPanel & WHM Authentication Bypass Attempt

Sigma YAML — free preview 
title: CVE-2026-41940 cPanel & WHM Authentication Bypass Attempt
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-41940 by looking for POST requests to the cPanel/WHM login endpoint with specific parameters that indicate an authentication bypass attempt. A 302 redirect status code often follows a successful bypass, indicating redirection to a post-login page.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41940/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/login/'
      cs-uri-query|contains:
          - 'user='
      cs-uri-query|contains:
          - 'pass='
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '302'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41940 Auth Bypass cPanel & WHM versions prior to 11.110.0.97
CVE-2026-41940 Auth Bypass cPanel & WHM versions prior to 11.118.0.63
CVE-2026-41940 Auth Bypass cPanel & WHM versions prior to 11.126.0.54
CVE-2026-41940 Auth Bypass cPanel & WHM versions prior to 11.132.0.29
CVE-2026-41940 Auth Bypass cPanel & WHM versions prior to 11.134.0.20

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 29, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7389: EyouCMS SQL Injection Vulnerability Exposed

CVE-2026-7389 — A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs

CVE-2026-7388 — A weakness has been identified in EyouCMS up to 1.7.9.

CVE-2026-7388 — A weakness has been identified in EyouCMS up to 1.7.9. Impacted is the function editFile of the file application/admin/logic/FilemanagerLogic.php of the component Template...

vulnerabilityCVEmedium-severitycwe-74cwe-94
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 3 IOCs

CVE-2026-7386: fatbobman mail-mcp-bridge Path Traversal Vulnerability

CVE-2026-7386 — A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 5 Sigma