cPanel Security Alert: Critical Authentication Bypass Vulnerability (CVE-2026-41940) Explained & Fix Guide

When authentication itself becomes the weak point, everything built on top of it is suddenly exposed. This is what happened with the recent critical vulnerability in cPanel & WHM. A high-impact security issue that can be used by attackers to bypass login completely has been found on cPanel. Responding quickly, the cPanel team has already given a fix. The users are requested to implement the patch immediately. Know that it’s not a routine patch update. It’s a fix for something very serious, and so mandatory to be done. We are here breaking things down clearly so you know what CVE-2026-41940 means, what security steps need to be taken, and how.

What is CVE-2026-41940?

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM. In simple terms:

Attackers could access the server without a username or a password
The login system could be skipped entirely
Unauthorized users could gain admin-level control

This issue is tied to how session authentication was handled internally, allowing malicious requests to bypass standard login checks. It’s affecting every cPanel version (including DNSOnly) after 11.40.

Why is CVE-2026-41940 Bug so Critical

This is not just another bug – it’s classified as critical (CVSS 9.8) – it’s the highest severity level. See, why it’s so serious:

Full access to the hosting environment
Control over websites, databases, and emails
Ability to modify server configurations
Potential for complete server takeover

More importantly, this vulnerability was actively exploited before the patch was released, making it a real-world threat – not just theoretical.

Who is Affected by cPanel’s CVE-2026-41940 Vulnerability?

Any server running unpatched versions (precisely, versions after 11.40) of cPanel & WHM was vulnerable. This includes:

Hosting providers
Businesses managing their own servers
Agencies running multiple client websites
WordPress environments using WP Squared (WP2)

If your system wasn’t updated immediately after the patch release, there’s a possibility it was exposed. No need to panic, though – just apply the patch and check if anything was compromised. Steps are given ahead.

Official CVE-2026-41940 Fix Released by cPanel

The cPanel team released a security update on April 28, 2026, addressing this issue. The patch is for the following cPanel & WHM versions:

11.86.0.41
11.110.0.97
11.118.0.63
11.126.0.54
11.130.0.19
11.132.0.29
11.136.0.5
11.134.0.20
WP2: 11.136.1.7

Those on CentOS 6 or CloudLinux 6 using v110.0.50, cPanel has released v110.0.103 as a direct update.

The CVE-2026-41940 Patch Update

If you are on any of the listed versions, please follow these steps immediately via the cPanel update script:

Update Immediately

Run a forced update:

/scripts/upcp --force

Verify Your Version

Once the update is done, verify the version:

/usr/local/cpanel/cpanel -V

Make sure it matches one of the patched versions.

Restart cPanel Services

Once verified, you need to restart:

/scripts/restartsrv_cpsrvd --hard

Remember that these will not auto-update if you have disabled cPanel updates. You need to identify and update these servers manually as a priority. If your server runs on CentOS 7 or CloudLinux 7, set the version to 11.110.

whmapi1 set_tier tier=11.110

Stop the Traffic

If you can’t update right now for any reason, you must do the following:

Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall.

or,

Stop cpsrvd & cpdavd using this command:

whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd --stop

Check for Possible CVE-2026-41940 Compromise

cPanel has provided a detection script to identify whether your system was accessed using this vulnerability. If your server was not updated early, you should assume potential exposure and audit:

Login logs
New user accounts
SSH access history
Cron jobs and unknown scripts

You can find the detection script here: More Details

Understand CVE-2026-41940 Bug & Fix Now

This is the easiest way to understand this issue:

Your server had a login system.
This vulnerability allowed attackers to walk past it without logging in.

That’s why this update is critical – it fixes the core access layer.

What This Means for Hosting & Businesses

This incident highlights a bigger shift in infrastructure risk:

Control panels are high-value targets
Authentication layers must be treated as critical security surfaces
Delayed updates are no longer safe – especially for exposed systems

If you are managing production workloads, relying on outdated versions is kinda a direct entry point. Therefore, don’t take things lightly anymore.

Bottom Line

CVE-2026-41940 is a critical authentication bypass vulnerability. It allows unauthorized full access to cPanel servers. cPanel has given a fix, but it’s only effective if applied immediately. So, follow the above steps to apply the patch. Also, if all this is way too technical for you, Lease Packet is offering support to fix the CVE-2026-41940 bug. Connect today and get things done immediately.

FAQs

Is this vulnerability already being exploited?

Yes, it was observed as a zero-day exploit before the official patch release.

Do I need to update if my server is working fine?

Yes. This is not performance-related – it’s a security issue. Update immediately.

What if I updated late?

You should review logs and run detection checks. Assume potential exposure if there was a delay. However, even after the early update, you should run a check anyway.