Multiple cPanel Bugs Allow Access to Critical System Resources

A wave of critical security flaws in cPanel & WHM is putting millions of hosted websites at risk, and at least one vulnerability is already being weaponized in the wild before patches were even released.

cPanel Bugs

Disclosed in late April 2026, CVE-2026-41940 is the most dangerous of the bunch, carrying a CVSS score of 9.8.

The flaw exists in cPanel’s session management and authentication flow, where attackers can send crafted requests with manipulated cookies to trick the platform into treating them as a logged-in user, with no credentials required.

What makes this especially alarming is that the bypass can sidestep multi-factor authentication entirely.

Once inside, an attacker gains full administrative control over the hosting environment, including websites, databases, email accounts, configuration files, and API tokens.

Security researchers confirmed active exploitation in the wild weeks before patches became available, prompting CISA to add CVE-2026-41940 to its Known Exploited Vulnerabilities catalog.

The April advisory was just the beginning. cPanel followed up with two additional rounds of security fixes in May 2026.

May 2026 Patch Batches Add More CVEs

• May 8 patch addressed CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203
• May 13 patch covered CVE-2026-29205, CVE-2026-29206, CVE-2026-32991, CVE-2026-32992, and CVE-2026-32993

cPanel and hosting providers describe these as server-side issues in supported cPanel & WHM versions, with severities reaching up to High.

Full technical details for some of these May flaws may remain limited, but their presence alongside CVE-2026-41940 creates a dangerous attack surface.

When combined, these vulnerabilities give determined attackers multiple paths into a cPanel-managed server.

Beyond the initial authentication bypass, adversaries could chain the May flaws to escalate privileges, pivot between hosting accounts, or plant web shells for long-term persistence, a serious concern on shared hosting platforms where one compromised instance can expose dozens of customer environments.

Hosting companies like InMotion Hosting are already automatically rolling out patches for managed environments. However, self-managed VPS and dedicated server customers must act manually.

• Run the standard /scripts/upcp process immediately to apply all the latest fixes
• Review authentication logs, session directories, and panel access histories going back to at least February 2026
• Look for suspicious logins, unusual IP addresses, or unexpected configuration changes
• Rotate all panel passwords, API keys, and application credentials after patching
• On shared hosting platforms, audit all customer accounts for signs of lateral movement

Security teams should treat this as more than a routine patch cycle. The combination of active exploitation, a high CVSS score, and multiple chained vulnerabilities makes delayed action a significant liability for hosting providers and site owners alike.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Multiple cPanel Bugs Allow Access to Critical System Resources appeared first on Cyber Security News.