cPanel disclosed a critical authentication bypass vulnerability (CVE-2026-41940) affecting all currently supported versions of cPanel and WebHost Manager (WHM) on April 28, 2026. The flaw allows unauthenticated attackers to bypass login mechanisms and gain administrative control over web hosting servers.

‍Critical context: Active exploitation was confirmed in the wild before the official patch became available. Multiple hosting providers (Namecheap, KnownHost, HostPapa, InMotion, hosting.com) blocked access to cPanel and WHM ports at the network level within hours of the advisory. The vulnerability affects all supported versions and many end-of-life releases. 

Vulnerability Overview

• Vulnerability Type: Authentication bypass in login authentication paths
• Affected Products: cPanel and WebHost Manager (WHM), all currently supported versions and many end-of-life releases
• Exploitation Status: Actively exploited in the wild
• Patch Availability: Emergency patches released April 28, 2026, approximately 2-3 hours after advisory

Affected Versions and Patches

cPanel released emergency security updates listed below. Verify your version immediately and apply one of the following patches:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

Why this matters: cPanel can manage the entire server

cPanel acts as a central management tool for web hosting infrastructure, handling everything from email routing to database management. When cPanel is compromised, attackers potentially gain:

• Administrative access to individual customer hosting accounts via cPanel
• Root-level access to the entire server via WHM (WebHost Manager)
• Control over all websites, databases, and email accounts on that server
• Ability to deploy malware, steal data, or launch secondary attacks using the server as a pivot point

If an attacker successfully bypasses the authentication mechanisms, they could potentially gain administrative privileges. This level of access allows them to deploy malware, steal sensitive customer data, or launch secondary attacks against other networks using the compromised infrastructure.

Timeline and response

cPanel disclosed the vulnerability on April 28, 2026. Within hours, hosting industry providers acted with unusual speed. Within hours of the advisory going public, hosting providers across the industry took cPanel and WHM access offline globally. hosting.com, Namecheap, KnownHost, HostPapa, and InMotion Hosting all blocked cPanel ports at the network level while awaiting the patch.

The industry's rapid response reflects genuine urgency. Active exploits were confirmed in the wild before the patch was released. This means threat actors had working exploitation code circulating during the patch development window. cPanel released a fix approximately 2-3 hours after the public advisory.

Attack surface and supply chain risk

This is a supply chain vulnerability because many organizations do not directly manage cPanel themselves; instead, they rely on hosting providers. If the hosting provider is slow to patch, or if legacy infrastructure is left unpatched, the compromise window extends across multiple layers: the hosting provider's servers, every customer website, every customer database, every customer email account.

The attack surface is not confined to security teams who actively monitor cPanel. It includes any organization using shared hosting, reseller hosting, or managed hosting where cPanel is the underlying control panel.

Detection and hunting

Organizations using cPanel or WHM should immediately audit access logs for the period between April 28, 2026 (when the advisory was published) and when patching was completed. Hunt for:

Suspicious login attempts or successful authentications that do not correspond to known legitimate users. Authentication logs should show any access to cPanel or WHM interfaces during the vulnerability window. 

Check WHM access logs for unusual administrative activity such as user account creation, configuration changes, or data export operations. Review cPanel user account logs for profile modifications or new accounts created by unauthorized users. Inspect file system logs and web server access logs for signs of post-compromise activity such as shell uploads, backdoor installation, or data exfiltration.

Review server access logs covering the period before port blocks were implemented. Authentication logs for WHM and cPanel interfaces should be audited for access attempts and successful logins that did not correspond to known legitimate users. The absence of a CVE means automated vulnerability scanners may not flag this incident; manual verification is necessary.

Remediation and response

Immediate action (if you run cPanel):

Check your cPanel version immediately. You can verify the version by logging into WHM or by running /usr/local/cpanel/cpanel -V from the command line. Compare against the affected versions list above.

If you are running an affected version, apply the emergency patch immediately. cPanel supports in-place patching via /scripts/upcp --force. This command forces an immediate update without waiting for the normal maintenance schedule.

After patching, audit access logs for the April 28-29 window (or whenever you became aware of the vulnerability). If you find evidence of unauthorized access, treat the server as potentially compromised. Contact your hosting provider or incident response team immediately.

If you use a hosting provider:

Contact your provider directly and ask about patch status. The major providers (Namecheap, KnownHost, HostPapa, InMotion, hosting.com) have publicly stated they applied patches. However, if you use a smaller or less responsive provider, patches may not have been deployed yet.

Ask whether your provider has audited access logs for evidence of exploitation. If the provider has not performed this audit, request that they do so. If evidence of unauthorized access is found, request a full post-incident security audit.

Long-term hardening:

Implement IP allowlisting for cPanel and WHM access. Restrict access to ports 2082, 2083, 2086, 2087, 2095, 2096, 2077, and 2078 to known administrative IP ranges. This prevents unauthorized access even if authentication flaws are discovered in the future.