WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
FREQUENTLY ASKED
What is CVE-2026-41940 and why does it matter?
CVE-2026-41940 is a critical authentication bypass vulnerability (CWE-306) affecting WebPros cPanel & WHM and WP2 (WordPress Squared). With a CVSS score of 9.3, it allows unauthenticated remote attackers to bypass login flows and gain unauthorized access to the control panel. This matters because it grants attackers administrative control over hosting environments, potentially leading to full server compromise and data theft.
Which versions of cPanel & WHM and WP2 are affected?
The vulnerability affects a wide range of versions, specifically starting from 11.40.0.0 through 11.136.0.0. Affected version strings include 11.40.0.0, 11.88.0.0, 11.112.0.0, 11.120.0.0, 11.128.0.0, 11.132.0.0, 11.134.0.0, and 11.136.0.0. Organizations should verify their current version against these specific affected releases provided in the advisory data.
Has a patch been released for CVE-2026-41940?
Yes, WebPros has released security updates to address this vulnerability. Specifically, users are urged to update to version 11.136.1.7 or the latest stable release provided by the vendor. Official documentation and patch links are available through the cPanel support portal and release notes, which provide detailed instructions for applying these critical security mitigations.
What is the remediation deadline for CVE-2026-41940?
The remediation deadline is set for 2026-05-03. For federal agencies and organizations following CISA BOD 22-01 guidance, this means the vulnerability must be mitigated or the product discontinued by this date to maintain compliance. Given the 'active' exploitation status, immediate patching is recommended for all users to prevent unauthorized access and potential ransomware deployment.
How can I check if my instance is affected by this vulnerability?
Administrators can check their status by logging into their WebHost Manager (WHM) interface and viewing the version number displayed in the top right corner or the dashboard footer. If the version is between 11.40.0.0 and 11.136.0.0 (and lower than 11.136.1.7), the instance is likely vulnerable. You should consult the vendor's official security update page for automated verification tools.
Executive Summary: The Criticality of CVE-2026-41940
CVE-2026-41940 identifies a critical authentication bypass vulnerability (CWE-306) in WebPros cPanel & WHM and WP2 (WordPress Squared) with a CVSS score of 9.3. This vulnerability is significant because it allows unauthenticated remote attackers to bypass the standard login flow and gain administrative access to the control panel. Given that cPanel and WHM (WebHost Manager) are the backbones of millions of hosting environments globally, the potential for widespread exploitation is high. The SSVC status is currently marked as "active," indicating that exploitation is occurring in the wild. All administrators must prioritize remediation before the May 3, 2026, deadline to prevent total server compromise.
Vulnerability Profile Table
Field
Value
CVE ID
CVE-2026-41940
Affected Product & Versions
cPanel & WHM and WP2: 11.40.0.0 through 11.136.0.0
CWE-306 (Missing Authentication for Critical Function)
Date Disclosed
2026-04-30
Remediation Deadline
2026-05-03
SSVC Exploitation status
active
Known Ransomware Use
Unknown
EPSS Score & Percentile
0.1652 (94.9%)
Patch Available
Yes
Technical Deep Dive: Understanding the Auth Bypass
CWE-306: Missing Authentication for Critical Function
At the core of CVE-2026-41940 is CWE-306, which occurs when a software application does not perform an identity check for a function that requires higher privileges. In the context of cPanel & WHM, this flaw resides within the login flow. Typically, a login flow is a multi-step process involving credential submission, validation, session token generation, and redirection. The vulnerability allows an attacker to manipulate these requests—likely by sending specially crafted network packets or HTTP requests—to bypass the credential validation phase entirely. This effectively treats an unauthenticated remote user as a fully authenticated administrator.
The Attack Chain and Exploitation Mechanics
According to the vulnerability description and available reference materials from watchTowr Labs, the attack chain targets specific components of the login flow that fail to verify state transitions correctly. Because the Attack Complexity is rated as "LOW" and requires "NONE" for privileges, an attacker can automate the discovery and exploitation of vulnerable instances using simple scripts.
Once the authentication is bypassed, the attacker gains access to the WebHost Manager (WHM) or cPanel interface. From this position, the blast radius is nearly absolute. An attacker can create new administrative users, access raw database files, modify website content, and even execute arbitrary code (RCE) on the underlying Linux operating system. This is analogous to an intruder finding a side door to a high-security vault that was left unlocked because the guards only monitored the front gate.
Who Is Affected: Impact and Compliance
This vulnerability impacts a vast range of users, from small business owners using shared hosting to large-scale data centers managing thousands of virtual private servers (VPS). Any organization running cPanel & WHM or WP2 between versions 11.40.0.0 and 11.136.0.0 is at immediate risk.
CISA BOD 22-01 and Remediation Deadlines
Because CVE-2026-41940 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, it carries significant compliance weight. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this flaw by May 3, 2026. Private sector organizations that align with NIST or CIS frameworks should treat this as a mandatory deadline to mitigate the risk of active exploitation. Failure to apply the patch not only leaves systems vulnerable but also creates a legal and regulatory liability in the event of a data breach.
Official Remediation Steps
To secure your environment, follow these steps immediately:
Identify Vulnerable Instances: Log in to your WHM dashboard and verify the version number. If your version is within the range of 11.40.0.0 to 11.136.0.0, you are vulnerable.
Execute cPanel Update: Run the standard cPanel update script via the command line as root: /usr/local/cpanel/scripts/upcp. This will pull the latest security binaries.
Verify Version 11.136.1.7 or Higher: Ensure that after the update, your system reports version 11.136.1.7 or a more recent stable release (e.g., 11.137+).
Audit Active Sessions: Navigate to WHM > Security Center > show Active Sessions. Terminate any suspicious or unknown sessions that may have originated before the patch was applied.
Review Logs: Check /usr/local/cpanel/logs/access_log for unusual login patterns or unauthorized access to critical endpoints.
Consult Vendor Advisories: Refer to the official cPanel Security Update 04-28-2026 for version-specific instructions for legacy tiers.
Security Best Practices for Control Panel Hardening
Beyond patching CVE-2026-41940, organizations should adopt a defense-in-depth strategy to mitigate future authentication bypass risks:
Implement IP Whitelisting for WHM: Restrict access to the WebHost Manager interface (port 2087) to known, trusted IP addresses using the host's firewall or the cPanel Host Access Control feature.
Enforce Two-Factor Authentication (2FA): While 2FA might be bypassed in a direct authentication flow flaw, it adds a critical layer of defense against credential stuffing and other common attack vectors that often precede deep exploitation.
Disable Unused Services: Turn off any cPanel or WHM features and ports that are not strictly necessary for your business operations to reduce the overall attack surface.
Enable Automatic Updates: Configure cPanel to automatically apply 'Security Fixes' and 'Minor Version' updates. This ensures that critical patches like the one for CVE-2026-41940 are applied with minimal delay.
Centralized Logging and Alerting: Forward cPanel security logs to a SIEM (Security Information and Event Management) system to detect anomalous login behavior in real-time.
Regular Backup Audits: Maintain off-site, immutable backups. In the event of a successful authentication bypass leading to ransomware, having a clean, isolated backup is the only guarantee of recovery.
Principle of Least Privilege: Avoid using the 'root' account for daily tasks; use specific WHM reseller accounts with restricted permissions where possible.