What This Vulnerability Is
CVE-2026-41940 is an authentication bypass in cPanel and WHM that allows unauthenticated remote attackers to gain administrative access to the hosting control panel. This affects versions 11.40 through 136.0.4, covering nearly every cPanel installation deployed in the last several years.
The National Vulnerability Database assigned this issue a CVSS base score of 9.8, placing it in the CRITICAL category. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation has been confirmed in the wild. Federal agencies are required to remediate by May 3, 2026.
- CVE Identifier
- CVE-2026-41940
- CVSS Base Score
- 9.8 / 10.0 (CRITICAL)
- Attack Vector
- Network (unauthenticated, remote)
- Affected Versions
- cPanel and WHM 11.40 through 136.0.4
- Fixed Version
- 136.0.5 and later
- CISA KEV
- Yes. Remediation required by May 3, 2026
- Public Exploits
- Documented
Who Is Affected
Any organization running cPanel or WHM versions 11.40 through 136.0.4 is affected. This includes:
- Web hosting providers running cPanel-based shared hosting, reseller hosting or dedicated server management
- Managed service providers using WHM for multi-tenant server administration
- Small and mid-sized businesses running their own cPanel servers
- Developers with staging or production servers managed through cPanel
cPanel reports over 1.4 million active installations worldwide. Given the version range (11.40 through 136.0.4), the vast majority of these installations are vulnerable if unpatched.
Why This Is Urgent
Three factors make this CVE exceptionally dangerous:
- No authentication required. An attacker does not need credentials. The bypass grants administrative access from the network with no prior access.
- Active exploitation confirmed. CISA does not add vulnerabilities to KEV speculatively. Confirmed exploitation means attackers are already using this.
- Administrative access = full server control. cPanel admin access means the attacker can create accounts, modify DNS, read email, deploy web shells, access databases and pivot to other services on the server.
What to Do About It
- Check your cPanel version. SSH into your server and run
/usr/local/cpanel/cpanel -V. If the version is 136.0.4 or lower, you are vulnerable. - Update immediately. Run
/scripts/upcp --forceto force an immediate cPanel update to the latest version (136.0.5+). - If you cannot update right now, restrict access. Block public access to WHM and cPanel ports (2086, 2087, 2082, 2083) via firewall. Allow only trusted IP addresses.
- Check for compromise. Review authentication logs for unauthorized access:
/var/log/cPanel/login_log/usr/local/cpanel/logs/access_log- Look for logins from unfamiliar IP addresses or at unusual times
- Audit server state. Check for newly created accounts, modified DNS records, unexpected cron jobs or web shells in document roots.
- Document your response. Record when you patched, what logs you reviewed and whether any indicators of compromise were found. CISA KEV compliance requires documented remediation.
Why This Matters for Organizations Without Security Teams
A CVSS score of 9.8 with confirmed active exploitation and a CISA KEV listing is the highest-priority combination in vulnerability management. This is not a theoretical risk. Attackers are using this right now against unpatched cPanel servers.
If you run cPanel and lack the internal capacity to validate your patching, audit your logs for compromise indicators or assess whether an attacker already accessed your system before you patched, an external assessment is the responsible next step.
Sherlock Forensics provides vulnerability assessment and incident response for organizations that need to understand their exposure and verify their systems are clean after a critical disclosure like this.