On April 28, 2026, a critical vulnerability was disclosed in cPanel, one of the most widely used web hosting control panels. Tracked as CVE-2026-41940, the flaw has a CVSS score of 9.8 (Critical) and allows unauthenticated attackers to gain full root administrative access.

CVE-2026-41940: Critical Authentication Bypass in cPanel

🔍 Overview

The vulnerability stems from a CRLF injection issue in the session handling mechanism during HTTP Basic Authentication processing.

In simple terms:

  • An attacker sends a specially crafted login request containing malicious newline characters.
  • These characters are written directly into session files without proper sanitization.
  • When cPanel later re-parses the session file, injected lines are interpreted as valid session parameters.
  • This allows the attacker to escalate the session into a fully authenticated root-level session.

⚠️ Affected Versions

The following cPanel/WHM versions are impacted:

  • 11.110.x (before 11.110.0.97)
  • 11.118.x (before 11.118.0.63)
  • 11.126.x (before 11.126.0.54)
  • 11.132.x (before 11.132.0.29)
  • 11.134.x (before 11.134.0.20)
  • 11.136.x (before 11.136.0.5)

Any unpatched deployment is considered fully vulnerable.


💥 Why This Is Critical

cPanel is not just a control panel—it is the central administrative layer of most shared hosting environments.

A successful exploit allows an attacker to:

  • Gain full root access to the server
  • Modify or delete all hosted websites
  • Steal database and email data
  • Install backdoors and persistent malware
  • Pivot into customer or internal networks

In essence, compromise of cPanel equals full infrastructure compromise.


🧠 Root Cause

The issue lies in how session data is handled:

  • The function responsible for saving sessions writes user input directly into session files
  • CRLF characters (\r\n) are not properly filtered in one execution path
  • When session files are later re-parsed, injected lines become trusted key-value pairs

This leads to session state corruption and privilege escalation.


🧪 Attack Chain (Simplified)

  • Attacker initiates a login request, creating a pre-auth session
  • Malicious input containing CRLF sequences is injected into the password field
  • Session file is written with unescaped newline characters
  • A secondary request triggers session re-parsing
  • Injected values are interpreted as valid session attributes
  • Session is upgraded to:
    • user=root
    • hasroot=1
    • tfa_verified=1
  • Attacker gains full administrative access via WHM

📊 Detection Indicators

Suspicious signs include:

  • Session files under:
    /var/cpanel/sessions/raw/

  • Unexpected entries such as:

    • user=root
    • hasroot=1
    • Multiple pass= entries in a single session file
  • Access logs showing:

    • /login/?login_only=1 returning 401
    • Followed by immediate requests with Authorization: Basic
    • Session reuse with unusual cpsess tokens

🛡️ Mitigation

Immediate Actions

  • Upgrade cPanel/WHM to patched versions:
    • 11.110.0.97+
    • 11.118.0.63+
    • 11.126.0.54+
    • 11.132.0.29+
    • 11.134.0.20+
    • 11.136.0.5+

Verify version:

/usr/local/cpanel/cpanel -V

Network Hardening

  • Restrict access to management ports:

    • 2082 / 2083 (cPanel)
    • 2086 / 2087 (WHM)
    • 2095 / 2096 (Webmail)
  • Allow only trusted IP ranges

  • Block public exposure of admin interfaces


Monitoring & Forensics

  • Forward session logs to SIEM systems
  • Audit:
    • SSH keys
    • cron jobs
    • new root-level processes
  • Inspect session file anomalies in /var/cpanel/sessions/raw/

🚨 If Compromise Is Suspected

  • Assume full server compromise
  • Do not trust in-place cleanup
  • Rebuild server from clean images
  • Rotate all credentials and SSH keys
  • Notify affected users/customers
  • Perform lateral movement analysis

🧩 Broader Security Insight

This vulnerability highlights a systemic issue:

  • A single vendor controls a large portion of global hosting infrastructure
  • Most organizations cannot patch independently
  • Exposure depends heavily on hosting provider response time

This creates a centralized risk model, where one vulnerability can impact millions of websites simultaneously.