CVSS 10.0 cPanel Authentication Bypass β CVE-2026-41940
No credentials. No patch (for some). 70 million domains exposed. Your cPanel server already has a backdoor β you just haven’t checked.
Meet CVE-2026-41940: an unauthenticated authentication bypass in cPanel & WHM that gives attackers root WHM access via a 4βstage CRLF injection chain. The exploit is public. The scanning has started. If you’re running cPanel, assume you’re compromised until proven otherwise.
The vulnerability was patched in late April 2026, but ~70 million domains were vulnerable at disclosure. Attackers are actively scanning for unpatched cPanel installations. The exploit tool cPanelSniper has 429 GitHub stars and works in seconds.
Your window to patch closed weeks ago.
The Vulnerability β CRLF Injection in Session Files
The root cause lives in Session.pm. The saveSession() function calls filter_sessiondata() after writing the session file to disk. This means CRLF characters embedded in the Authorization: Basic header value are written verbatim into the session file β injecting attackerβcontrolled fields before sanitization ever runs.
The CRLF Payload
The Authorization: Basic value decodes to:
These fields are written directly into the session file. When read back, cPanel treats the session as a fully authenticated root session β no password, no 2FA, no questions asked.
The 4βStage Exploit Chain
GET /openid_connect/cpanelid β 307 redirect β real hostname extracted
POST /login/?login_only=1 (wrong credentials) β returns whostmgrsession cookie + preβauth token.
GET / + Cookie: session + Authorization: Basic <payload>cpsrvd writes the CRLF payload into the session file β returns
307 with new /cpsessXXXXXXXXXX/ token.
GET /scripts2/listaccts triggers the internal do_token_denied handler β flushes raw session data into the session cache.
GET /cpsessXXXXXXXXXX/json-api/version β 200 OK with version data. PWNED.
After Stage 2, the poisoned session data exists only in the raw session file. Without Stage 3, Stage 4 returns a 403. The
/scripts2/listaccts request fires the internal do_token_denied handler, which flushes the raw data into the session cache β making the injection active.
Affected Versions & Patches
| Branch | Vulnerable | Patched |
|---|---|---|
| 110.x | β€ 11.110.0.96 | 11.110.0.97 |
| 118.x | β€ 11.118.0.62 | 11.118.0.63 |
| 126.x | β€ 11.126.0.53 | 11.126.0.54 |
| 132.x | β€ 11.132.0.28 | 11.132.0.29 |
| 134.x | β€ 11.134.0.19 | 11.134.0.20 |
| 136.x | β€ 11.136.0.4 | 11.136.0.5 |
If you are running any version older than these, you are vulnerable to unauthenticated root compromise.
The exploit tool cPanelSniper requires no dependencies β pure Python stdlib. It can be run from any compromised machine, shared hosting account, or disposable VPS. Attackers are using Shodan dorks (
title:"WHM Login" port:2087) to find targets and scanning thousands per minute.Your cPanel server is being probed right now.
Post-Exploit Capabilities (What Attackers Can Do)
Once an attacker gains root WHM access, they can:
- List all cPanel accounts β harvest customer domains, email addresses, and user data
- Execute OS commands as root β install backdoors, crypto miners, or ransomware
- Create backdoor WHM admins β persistent access even after patching
- Change root password β lock you out of your own server
- Read any file β
/etc/passwd, configuration files, database dumps, customer data - Download entire websites β source code, customer databases, API keys
What You Need To Do Right Now
1. Patch Immediately
Target versions: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5 or higher.
2. Check for Existing Compromise
- Audit WHM logs for unexpected
/scripts2/listacctscalls - Review
/var/cpanel/sessions/raw/for suspicious session files - Check for newly created WHM admin accounts (via
whmapi1 listusers) - Scan for unauthorized SSH keys in
/root/.ssh/authorized_keys - Review
/var/log/secureand/var/log/messagesfor unusual activity
3. If You Can’t Patch Immediately β Mitigation
- Restrict WHM/cPanel access to trusted IPs only (
/etc/cpanel/access-hosts) - Block port 2087 and 2086 from the public internet (use VPN or jump host)
- Monitor for the exploit pattern (CRLF in Authorization header) via WAF or IDS
- Set up canary tokens on WHM login pages to detect scanning
WARNING: These are temporary mitigations. The only complete fix is the patch.
CVE-2026-41940 is a 10-out-of-10 severity vulnerability with a public exploit. If your cPanel server is unpatched, assume it’s compromised.
Patch now. Audit your logs. Check for backdoor accounts. And if you don’t know where to start β call someone who does.
How a Pentest Would Have Caught This
Before the patch was released, a comprehensive penetration test would have:
- Discovered the vulnerable cPanel version during fingerprinting
- Tested the CRLF injection path (even without a public exploit)
- Demonstrated the full 4βstage chain in a controlled environment
- Delivered a report with specific remediation steps before attackers weaponized it
The patch was available on April 30. If you were on a security retainer, you would have known about this vulnerability by May 1 β not after scanning started.
Don’t wait for the next CVSS 10.0 to find you.
Full infrastructure pentest: β¬3,000. Website pentest: β¬299ββ¬1,499. Security retainer: β¬1,500/month.
π© DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your exposure.
Leave a Reply