Critical authentication bypass vulnerability in cPanel and WHM control panels allowing unauthenticated remote attackers to gain unauthorized access. These web hosting management platforms are almost universally internet-facing by design and widely exploited in the wild.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-04-29
Added to CISA KEV: 2026-04-30 1 DAY BETWEEN CVE AND KEV
Vulnerabilities and Exploits. CVE-2026-41940: cPanel & WHM Authentication Bypass.WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable. ... A managed cPanel host, KnownHost, stated that CVE-2026-41940 is actively being exploited in the wild, with speculation of targeted zero-day exploitation happening as early as February 23, 2026, prior to the vulnerability’s public disclosure. Security firm watchTowr has published a technical analysis and proof-of-concept exploit for CVE-2026 ...
An authentication bypass flaw in the cPanel and WHM login flow allows an unauthenticated remote attacker to gain control of the management console. The vulnerability exploits improper authentication checks (CWE-306), enabling attackers to obtain privileged access without valid credentials, thereby threatening confidentiality, integrity, and availability of the hosted services.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote ...
A critical vulnerability (CVE-2026-41940) in the cPanel control panel for managing web hosting accounts, is being exploited by attackers.