cPanel zero-day CVE-2026-41940 exploited with PoC

What Happened

A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared, tracked as CVE-2026-41940, is being actively exploited in the wild. Threat actors have leveraged the flaw since at least late February 2026, according to security researchers and vendor advisories. A proof-of-concept (PoC) exploit is now publicly available, escalating the risk of widespread attacks.

The vulnerability allows an unauthenticated attacker to bypass authentication mechanisms completely, potentially gaining administrative control over affected cPanel and WHM installations. Web hosting providers, managed service providers, and enterprises using cPanel for server management are the primary targets.

Why It Matters

cPanel and WHM are among the most widely used web hosting control panels globally, managing millions of domains. A zero-day authentication bypass that gives attackers administrative access can lead to full server compromise, data theft, website defacement, and lateral movement into internal networks. With a public PoC now circulating, the window for unpatched systems is closing fast. Organizations that fail to apply patches risk becoming the next victim.

For hosting providers, a single compromised cPanel instance could expose customer data, including website credentials, database contents, and email archives, potentially triggering cascading breaches across multiple tenants.

Technical Details

CVE-2026-41940 is an authentication bypass in cPanel and WHM, affecting versions prior to the latest patched release. The flaw resides in the authentication logic for XML-API and critical administration scripts. An attacker can send specially crafted HTTP requests that bypass session validation, allowing unauthorized access to the administrative interface without valid credentials.

The vulnerability is classified as critical with a CVSS score in the 9.8-10.0 range. WP Squared, a related add-on, is also affected. Indicators of compromise include unexpected administrative session creation logs, unusual API requests targeting /xml-api/ endpoints, and unauthorized changes to hosting configurations.

Public PoC exploit code demonstrates a simple HTTP POST request that returns a valid session cookie, confirming the bypass. The exploit does not require user interaction or prior access.

Immediate Risk

The risk is critical and imminent. Active exploitation has been observed for weeks, and the public PoC removes any technical barrier for less sophisticated threat actors. Organizations using cPanel or WHM versions that are not fully patched should treat any internet-facing instance as compromised until proven otherwise.

Attackers are likely using this access to deploy web shells, exfiltrate database credentials, or stage further attacks against downstream customers. If you manage cPanel servers, assume breach and audit for unauthorized administrative actions as quickly as possible.

Security Insight

This vulnerability echoes the 2023 cPanel CVE-2023-29489 XSS flaw, which also targeted the XML-API surface area and was exploited post-PoC release. The pattern is clear: attackers prioritize cPanel because of its outsized role in hosting infrastructure. The defensive takeaway is that authentication bypasses in control panels are not single-point-of-failure bugs. Once an attacker has admin access, they can deploy persistent backdoors using legitimate cPanel API functions, making cleanup difficult. Organizations should implement network segmentation for hosting management interfaces, enforce strict access controls (IP allowlisting, VPN), and monitor API logs for anomalous session creation patterns, not just failed logins.

Further Reading

• cPanel WHM auth bypass actively exploited (CVE-2026-41940) [PoC]
• Latest Security News
• CVE Advisories
• Data Breach Reports