cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes

Suspected
Discovered Jun 1, 2026

CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.

0
Affected Packages
4
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://support[.]cpanel[.]net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
hXXps://www[.]cisa[.]gov/sites/default/files/feeds/known_exploited_vulnerabilities[.]json
hXXps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-41940
hXXps://docs[.]wpsquared[.]com/changelogs/versions/changelog/#13617

Analysis

Executive Summary

CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on 2026-04-30, with a due date of 2026-05-03, and marks known ransomware campaign use as Known CISA KEV opens in a new tab. The affected products are cPanel & WHM, including DNSOnly, and WP2 (WordPress Squared). CISA describes the issue as an authentication bypass in the login flow that allows unauthenticated remote attackers to gain unauthorized control-panel access CISA KEV opens in a new tab.

WebPros says the issue affects all cPanel software versions after 11.40, pushed patched builds for active branches, and provided a detection script that inspects /var/cpanel/sessions and /usr/local/cpanel/logs/access_log for compromised session indicators cPanel opens in a new tab. Treat internet-exposed cPanel or WP2 login surfaces as active intrusion risk until patched-build proof and session-file review are complete.

Key Facts

Cve: CVE-2026-41940

Vendor: WebPros

Products:

  • cPanel & WHM
  • cPanel DNSOnly
  • WP2 (WordPress Squared)

Kev Added: 2026-04-30

Kev Due: 2026-05-03

Known Ransomware Campaign Use: Known

Cwe: CWE-306

Vulnerability: missing authentication for critical function / authentication bypass

Patched Cpanel Builds:

  • 11.86.0.41 and higher
  • 11.94.0.28 and higher
  • 11.102.0.39 and higher
  • 11.110.0.97 and higher
  • 11.118.0.63 and higher
  • 11.124.0.35 and higher
  • 11.126.0.54 and higher
  • 11.130.0.19 and higher
  • 11.132.0.29 and higher
  • 11.134.0.20 and higher
  • 11.136.0.5 and higher

Patched Wp2: 136.1.7 and higher

High Value Evidence:

  • /usr/local/cpanel/cpanel -V
  • /var/cpanel/sessions
  • /usr/local/cpanel/logs/access_log

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-41940 as known exploited and records known ransomware campaign use CISA KEV opens in a new tab.
  • confirmed: WebPros lists patched cPanel and WP2 versions, required update commands, mitigations for exposed service ports, and a session-file detection script cPanel opens in a new tab.
  • confirmed: NVD maps CVE-2026-41940 to WebPros cPanel & WHM and WP2 and references the vendor advisory NVD opens in a new tab.
  • confirmed: WP2 changelog material is one of the vendor references CISA lists for the 136.1.7 fixed line WP2 changelog opens in a new tab.
  • unknown: Public sources reviewed here do not provide a complete exploit chain, ransomware family mapping, or victim list.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseSession files or access logs match vendor IOC patterns, unexplained control-panel access exists, or post-auth administrative changes follow exposed login traffic.Session files, preauth files, access log rows, account changes, API calls, webshell or backup access evidence.Isolate affected hosts, preserve cPanel evidence, rotate root/reseller/account credentials, and review hosted sites.
Presumed exposedInternet-exposed cPanel/WHM/WP2 is below a patched build or patch status is unknown.Version output, package inventory, asset scan, firewall exposure, and update tier config.Patch immediately or block ports 2083, 2087, 2095, and 2096; keep session review open.
Potentially exposedcPanel or WP2 is known in inventory but branch, build, or public exposure is incomplete.CMDB, scanner, DNS, service, update-tier, and firewall evidence.Collect exact version and exposure proof.
Not exposedNo affected product or exposed control-plane service appears in complete inventory, or patched build and negative session review are proven.Version check, access-log review, session scan, firewall config, and asset inventory.Preserve closure evidence and monitor for reused credentials.
UnknownVersion, session, access log, or firewall evidence is missing.Named telemetry gap with owner and time window.Keep control planes and hosted-account credentials in scope until evidence is recovered.

Timeline

  • 2026-04-28: WebPros publishes the initial cPanel/WHM and WP2 security update cPanel opens in a new tab.
  • 2026-04-30: CISA adds CVE-2026-41940 to KEV with a 2026-05-03 due date CISA KEV opens in a new tab.
  • 2026-05-01 to 2026-05-05: WebPros updates patched branch guidance and detection script false-positive handling cPanel opens in a new tab.
  • 2026-05-11: WebPros records its latest substantive article revision after adding branch fixes and refining the IOC script to reduce false positives cPanel opens in a new tab.

Technical Analysis

This bug sits at a hosting control-plane boundary. A successful unauthenticated bypass against cPanel/WHM can pivot into hosted account access, mailbox control, backup access, DNS changes, webroot modification, and credential theft. CISA's ransomware-use flag raises the priority: do not wait for webshell evidence before checking session files and patch status CISA KEV opens in a new tab. [1]

WebPros' required actions are concrete: update with /scripts/upcp --force, verify /usr/local/cpanel/cpanel -V, restart cpsrvd, and manually move pinned or disabled update configurations to a patched branch where needed cPanel opens in a new tab. If updating is not possible, WebPros recommends blocking inbound control-panel ports and disabling relevant services until the host can be patched cPanel opens in a new tab. [1]

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Remediation and Closure

Patch to a vendor-listed fixed build or later, restart cpsrvd, and record version evidence. Closure requires patched-version proof, negative session-file and access-log review, exposed-port review, and downstream hosted-account checks. Where evidence is missing, rotate hosted-account credentials and keep the host in presumed-exposed status.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 1, 2026First seenFirst seen recorded for cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes.nvd.nist.gov
Jun 1, 2026cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control PlanesUnknownnvd.nist.gov
Jun 1, 2026DiscoveryDiscovery recorded for cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes.nvd.nist.gov
Jun 1, 2026DisclosureDisclosure recorded for cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes.nvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

4 IOCs
urlhttps://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
urlhttps://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
urlhttps://nvd.nist.gov/vuln/detail/CVE-2026-41940
urlhttps://docs.wpsquared.com/changelogs/versions/changelog/#13617

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with cPanel & WHM CVE-2026-41940: KEV Authentication Bypass in Hosting Control Planes?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-cpanel-whm-cve-2026-41940-kev-scope"))

URLS = ["https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json","https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026","https://nvd.nist.gov/vuln/detail/CVE-2026-41940","https://docs.wpsquared.com/changelogs/versions/changelog/#13617"]

# Collect unique indicators
indicators = set()
for group in [URLS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.
cisa.govSecurity Researcher95%1CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.
support.cpanel.netSecurity Researcher95%1CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.
docs.wpsquared.comSecurity Researcher95%1CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.