The flaw, tracked as CVE-2026-41940, allows unauthenticated attackers to bypass login mechanisms entirely, potentially granting root-level access to affected hosting control panels.
A public proof-of-concept (PoC) exploit has since been released by security researchers at watchTowr, dramatically raising the urgency for immediate patching.
The vulnerability resides in the authentication layer of cPanel & WHM software, including DNSOnly deployments.
According to cPanel’s official security advisory, the issue affects all versions after 11.40, an enormous attack surface given cPanel’s dominant position in the shared hosting market worldwide.
The flaw involves a CRLF injection chained with session token leakage, enabling a pre-authenticated attacker to hijack a session token, propagate it through the server’s internal cache, and ultimately gain WHM root access — all without valid credentials.
WatchTowr researcher Sina Kheirkhah (@SinSinology) published a detection artifact generator demonstrating the exploit chain in four distinct steps:
do_token_denied request to propagate the raw token into the server-side cache/json-api/version to confirm WHM root-level access, returning HTTP 200 with full version disclosureThe PoC tool authbypass-RCE.py targets port 2087 (WHM) and successfully confirms exploitation against vulnerable instances running builds such as 11.110.0.89 and earlier.
Reports indicate the vulnerability was privately disclosed to cPanel approximately two weeks before public exploitation was observed
However, confirmed in-the-wild attacks forced cPanel to accelerate its patch rollout, with the initial advisory published on April 28, 2026, at 12:05 PM CST.
The advisory was subsequently updated multiple times within 48 hours to include patched versions, revised mitigation steps, and a detection script — reflecting the fast-moving nature of the incident.
Multiple global hosting providers have reportedly taken cPanel-based control panels offline as a precautionary measure to prevent mass unauthorized access.
cPanel has released emergency patches across the following versions:
For WP Squared (WP2) deployments, the patched version is 136.1.7.
Administrators should prioritize the following actions without delay:
/scripts/upcp --force/usr/local/cpanel/cpanel -V and restart cpsrvd: /scripts/restartsrv_cpsrvdServers running unsupported cPanel versions that are not eligible for the current patch should be treated as compromised until proven otherwise and escalated for emergency version upgrades.
With cPanel powering an estimated millions of hosting accounts globally across both shared and VPS environments, the blast radius of CVE-2026-41940 is substantial.
Authentication bypass vulnerabilities at the control panel level are particularly dangerous because they expose not just a single website, but entire server ecosystems, including all hosted domains, email accounts, databases, and file systems.
The public release of a working PoC significantly lowers the barrier for exploitation, and opportunistic threat actors are expected to incorporate this into mass-scanning campaigns imminently.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post cPanel 0-Day Authentication Bypass Vulnerability Actively Exploited in the Wild — PoC Released appeared first on Cyber Security News.
Nintendo has dropped a surprise update for Super Mario Galaxy 2 that adds a new…
It’s been nearly three years since Mortal Kombat 1 came out, but developer NetherRealm has…
The Simpsons has mocked or referenced literature over its many seasons, usually through a book…
A new and more dangerous type of malware is quietly targeting Windows users by hiding…
A new and more dangerous type of malware is quietly targeting Windows users by hiding…
SonicWall has released a security advisory addressing three vulnerabilities in its SonicOS software. Discovered by…
This website uses cookies.