CVE-2026-41940: cPanel & WHM Critical Authentication Bypass: Unauthenticated WHM Admin Access

By Parth Shukla · 2026-05-04

Technical analysis of CVE-2026-41940 in cPanel & WHM. CVSS 9.8, public PoC. Unauthenticated bypass to full WHM administrative access, how to detect exposure and how Pinaka catches it.

#cve #cpanel #whm #auth-bypass #rce #web-hosting #unauthenticated

How to check if you are exposed to CVE-2026-41940

  1. Check whether WHM is reachable on a target host: curl -sk https://<target>:2087/login/ -o /dev/null -w "%{http_code}" # 200 = WHM login page is accessible; move to version check curl -sk http://<target>:2086/login/ -o /dev/null -w "%{http_code}" # HTTP version check — many servers redirect HTTP to HTTPS
  2. Confirm the response is actually WHM: curl -sk https://<target>:2087/login/ | grep -i "whm\|cpanel\|web host manager" # WHM login pages include these strings in the page title and body
  3. Extract the cPanel/WHM version (no auth required): curl -sk https://<target>:2087/json-api/version \ -H "Authorization: cpanel root:" 2>/dev/null # Returns version and build metadata on unpatched instances that process # requests to unauthenticated API paths
  4. Check the cPanel version from the login page: curl -sk https://<target>:2087/login/ \ | grep -oP '(?i)cpsess[\w]+|(?:version|build)[\s:]+[\d.]+'
  5. Identify cPanel/WHM instances on your ASN or IP ranges: # Shodan: port:2087 title:"WHM" OR port:2087 "cPanel" # Censys: services.port=2087 AND services.http.response.html_title:"WHM" # Shodan also: product:"cPanel httpd"
  6. Check cPanel's automatic update status on a managed server: # (run on the server directly with root access) cat /etc/cpupdate.conf | grep UPDATES # "UPDATES=automatic" = server applies patches automatically # "UPDATES=manual" or "UPDATES=never" = server requires manual patching action # Manual update servers that have not been patched since the advisory are vulnerable
  7. Check installed cPanel/WHM build number on the server: /usr/local/cpanel/cpanel -V # or cat /usr/local/cpanel/version # Compare against patched build from advisory CPANEL-45812

Frequently asked questions

What is CVE-2026-41940?

CVE-2026-41940 is a critical authentication bypass (CVSS 9.8, estimated from vulnerability class) in cPanel & WHM, the most widely deployed commercial web hosting control panel. The vulnerability allows an unauthenticated attacker to bypass the WHM administrative login and obtain full server administrator access — granting control over every hosted account, website, database, and email configuration on the affected host. For security teams and CISOs, the business impact is direct and severe: a successful attack on an internet-accessible WHM instance compromises not just one application but every customer or business unit hosted on that server, including all associated credentials, source code, and customer data. cPanel has issued a patch; all installations running versions prior to the fixed release should be treated as fully compromised if WHM has been network-accessible during the exposure window, as exploitation requires no credentials, no prior enumeration, and no user interaction.

Is CVE-2026-41940 being actively exploited?

A public proof-of-concept for CVE-2026-41940 was published on GitHub following cPanel's patch release. The PoC demonstrates unauthenticated WHM administrative access in a single crafted HTTP request — no session establishment, no CSRF bypass, no credential brute-force. The low exploitation complexity means that the primary barrier to mass exploitation is attacker awareness and tool automation, not technical difficulty. Scanning for internet-exposed cPanel WHM interfaces on ports 2086/2087 is trivially accomplished with existing reconnaissance infrastructure; once an exposed host is identified, exploitation is a single request.

Am I exposed to CVE-2026-41940?

Exposure requires WHM to be installed and its administrative interface (TCP 2086 or 2087) to be reachable from an untrusted network. Nearly all cPanel & WHM deployments expose these ports as part of standard server management — this is the documented default, not a misconfiguration.

How do I fix CVE-2026-41940?

If immediate patching is not possible, restrict inbound TCP 2086 and 2087 to known administrative source IP ranges using firewall rules or cloud security group ACLs. WHM does not need to be accessible from the public internet for most deployments — remote server administration through a VPN or bastion host eliminates the internet-facing exposure permanently and is the recommended long-term hardening posture regardless of this specific CVE.

Check your own attack surface with Pinaka