Threat Brief: CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Actively Exploited in the Wild

Executive Summary 

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM, including DNSOnly, and WP Squared. The issue affects cPanel software versions after 11.40 and can allow an unauthenticated remote attacker to gain unauthorized access to exposed hosting control panels. cPanel released patched versions and published official remediation and detection guidance.

Cato has observed exploitation attempts in the wild and has virtually patched customers through IPS protections delivered across the Cato Cloud Platform. Because cPanel and WHM often manage websites, domains, databases, email, DNS, and server configuration, successful exploitation can affect hosting providers, website owners, and organizations that rely on hosted web assets. Cato is sharing observed indicators with the industry to help defenders identify and respond to related activity.

Why This Vulnerability Matters 

cPanel and WHM are positioned at a high-value control point in the hosting ecosystem. WHM is commonly used for server-level administration, while cPanel is often used by website owners, resellers, developers, and managed hosting customers. A single vulnerable WHM server may manage many domains and customer environments, which makes the potential blast radius much larger than a compromise of one standalone website.

The direct impact includes unauthorized administrative access, modification of hosted content, access to databases and email accounts, creation of new users, deployment of web shells, persistence through cron jobs or SSH keys, and disruption of hosted services. For hosting providers, this can become a multi-tenant incident. For website owners, it can mean website defacement, data exposure, malware injection, domain abuse, or loss of control over production assets.

The indirect impact can continue after the initial server compromise. Attackers can turn trusted hosted domains into infrastructure for phishing, malware staging, JavaScript injection, SEO poisoning, fake login portals, redirect chains, and credential theft. AI-enabled automation can accelerate this phase. Attackers can use generative AI to quickly produce localized phishing pages, brand-matched scam content, fake support flows, convincing email lures, and many variations of malicious landing pages across compromised domains. The vulnerability itself is not AI-related, but AI can help attackers scale post-compromise abuse faster and with more convincing content.

The potential exposure is significant. Rapid7 noted that a broad Shodan query returned approximately 1.5 million internet-exposed cPanel instances that may be relevant to the affected attack surface.

Technical Details and Timeline 

CVE-2026-41940 is an authentication bypass in cPanel & WHM session handling. cPanel describes the issue as affecting all cPanel software versions after 11.40, including DNSOnly, and has released patched versions for multiple supported branches. WP Squared was also patched in version 136.1.7.

The U.S. National Vulnerability Database lists CVE-2026-41940 as Critical, with CNA-provided severity scores of CVSS v3.1: 9.8 and CVSS v4.0: 9.3. The NVD record maps the vulnerability to CWE-306: Missing Authentication for Critical Function.

Based on our analysis of observed exploitation attempts, we identified four main stages in the attack flow:

• Session creation through a failed login attempt:
  The attacker initiates a login attempt against the /login/?login_only=1 endpoint. Although authentication fails, the server still creates a pre-authenticated session and returns a whostmgrsession cookie. This cookie maps to a session file on the server.

• Session reuse and malformed session handling:
  The attacker reuses the session identifier in the Cookie header and manipulates the session value in a way that affects how the server parses the session data. Public analysis notes that removing a specific encoded comma, %2c, is part of the exploit chain.

• Injection of attacker-controlled session attributes:
  The attacker sends Base64-encoded data in the Authorization header. Once decoded, the data contains newline characters, such as \r\n, and key-value pairs that can be written into the server-side session file. This enables the attacker to introduce authentication-related attributes into a session that should still be unauthenticated.

• Session reload and authentication bypass:
  The attacker sends a follow-up request that causes the server to read the modified session file. Because the injected attributes are interpreted as part of the session state, the attacker may gain unauthorized access to the cPanel or WHM control panel without valid credentials.

cPanel’s temporary mitigation guidance references blocking inbound traffic to ports 2083, 2087, 2095, and 2096 when immediate patching is not possible. This guidance remains the primary vendor-recommended temporary mitigation. In Cato telemetry, we also observed exploitation attempts involving cPanel and WHM services on additional exposed ports, likely reflecting non-standard service exposure or environment-specific configurations. This reinforces the importance of following cPanel’s remediation guidance, validating external exposure, and applying layered protection through IPS while patching is completed.

Timeline

April 28, 2026: cPanel published the initial advisory for CVE-2026-41940.

April 28, 2026: cPanel updated the advisory to include patched versions and mitigation changes.

April 29, 2026: cPanel added required actions and a detection script for session-file indicators.

April 29, 2026: NVD published the CVE record, including CNA-provided CVSS scores and CWE mapping.

April 30, 2026: Cloudflare issued an emergency WAF release for CVE-2026-41940.

April 30, 2026: Cato observed exploitation attempts in the wild and protected customers through IPS virtual patching.

Cato Protection 

Cato released IPS signatures to detect and block exploitation attempts targeting CVE-2026-41940. Cato customers are protected against this attack through IPS virtual patching delivered across the Cato Cloud Platform.

Indicators of Compromise

Vendor-Documented Indicators

cPanel’s detection guidance focuses on suspicious artifacts in:

/var/cpanel/sessions

cPanel’s advisory includes a local detection script and sample output showing exploitation artifacts in session files. Administrators should use the vendor script as part of compromise assessment and not rely only on network indicators.

Cato-Detected IOCs

Cato has observed exploitation attempts against CVE-2026-41940. The activity was primarily associated with source infrastructure geolocated to Ireland, Japan, and the United States, and linked to ASNs associated with DigitalOcean, Amazon, and Latitude.sh.

The indicators below are shared to help defenders identify related activity and strengthen detection beyond vendor-documented host artifacts. Because attacker infrastructure can change quickly, these IOCs should be used together with behavioral detection, session-file review, and the vendor-provided compromise checks.

IP addresses

24[.]144[.]95[.]61
146[.]190[.]146[.]169
134[.]199[.]225[.]24
108[.]131[.]133[.]224
104[.]234[.]140[.]30
104[.]234[.]140[.]28
104[.]234[.]140[.]18
104[.]234[.]140[.]13