cPanel WHM auth bypass actively exploited (CVE-2026-41940) [PoC]
CVE-2026-41940
CVE-2026-41940: Critical cPanel/WHM 11.40+ auth bypass grants unauthenticated full panel access. Actively exploited in the wild (CISA KEV). Update to patched version now.
Actively exploited in the wild - CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel and WHM versions after 11.40 that lets unauthenticated remote attackers gain full control panel access. CISA has confirmed active exploitation; update all affected installations immediately.
Overview
CVE-2026-41940 is a severe authentication bypass flaw in the cPanel and WHM login flow. Discovered in versions 11.40 and later, the vulnerability allows an unauthenticated attacker with network access to the control panel’s login interface to bypass authentication checks entirely. No valid credentials, user interaction, or complex prerequisites are required. The CVSS 9.8 score reflects the ease of exploitation and the complete compromise of confidentiality, integrity, and availability that results.
Impact
An attacker who successfully exploits CVE-2026-41940 gains unauthorized administrative access to the cPanel or WHM interface. From there, they can create, modify, or delete hosting accounts; read sensitive data like database credentials and email archives; deploy web shells; and pivot to other services running on the server. Because WHM controls shared hosting environments, a single exploit can compromise multiple customer websites hosted on the same server.
Remediation
cPanel has released security updates addressing CVE-2026-41940. Immediately upgrade all instances of cPanel and WHM to the latest stable version. If immediate patching is not possible, restrict network access to the cPanel and WHM login interfaces (typically port 2083 and 2087) to trusted IP ranges only. Monitor for new web shells, unexpected admin accounts, or configuration changes in the hosting environment. Review breach reports for indicators of compromise observed in real-world attacks.
Security Insight
CVE-2026-41940 follows a pattern of critical authentication bypass vulnerabilities in web hosting control panels - similar to past flaws in Plesk and DirectAdmin. The absence of any authentication requirement (no credentials, no user interaction) makes this vulnerability particularly dangerous for shared hosting providers, where a single exploited server can lead to multi-tenant data breaches. The presence of CVE-2026-41940 on CISA’s KEV catalog underscores that web hosts remain a primary target for financially motivated threat actors seeking bulk credentials and website defacement opportunities. For the latest cybersecurity news, visit security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| ynsmroztas/cPanelSniper CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection | ★ 441 |
| XsanFlip/poc-cpanel-cve-2026-41940 | ★ 63 |
| adriyansyah-mf/cve-2026-41940-poc | ★ 29 |
| Sachinart/CVE-2026-41940-cpanel-0day CVE-2026-41940 latest cPanel & WHM 0day - 70 million websites are possible to expose by Chirag Artani | ★ 26 |
| bughunt4me/cpanelCVE-2026-41940 CVE-2026-41940 Auto Root Login | ★ 13 |
Showing 5 of 43 known references. Source: nomi-sec/PoC-in-GitHub.
Nuclei Detection Templates
Detection template available — your exposure is being scanned
The templates below are YAML signatures for the Nuclei scanner from ProjectDiscovery. They are not exploit code — they are detection rules that confirm whether a target is vulnerable. The presence of a Nuclei template means every bug bounty hunter, AppSec team, red team, and reconnaissance pipeline on the public internet is actively probing for this CVE.
Assume your exposed instances have already been touched. Patch immediately even if no exploitation is observed yet — fingerprinting precedes exploitation by days at most.
| Template | Source |
|---|---|
CVE-2026-41940.yaml | View YAML |
1 Nuclei template indexed for this CVE. Source: projectdiscovery/nuclei-templates.
Related Advisories
Missing Authentication for Critical Function vulnerability in ePati Cyber Security Technologies Inc. Antikor Next Generation Firewall (NGFW) allows Authentication Bypass.This issue affects Antikor N...
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploita...
WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers ...
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Atta...