CVE-2026-41940: Critical Authentication Bypass in cPanel
🔍 Overview
The vulnerability stems from a CRLF injection issue in the session handling mechanism during HTTP Basic Authentication processing.
In simple terms:
- An attacker sends a specially crafted login request containing malicious newline characters.
- These characters are written directly into session files without proper sanitization.
- When cPanel later re-parses the session file, injected lines are interpreted as valid session parameters.
- This allows the attacker to escalate the session into a fully authenticated root-level session.
⚠️ Affected Versions
The following cPanel/WHM versions are impacted:
- 11.110.x (before 11.110.0.97)
- 11.118.x (before 11.118.0.63)
- 11.126.x (before 11.126.0.54)
- 11.132.x (before 11.132.0.29)
- 11.134.x (before 11.134.0.20)
- 11.136.x (before 11.136.0.5)
Any unpatched deployment is considered fully vulnerable.
💥 Why This Is Critical
cPanel is not just a control panel—it is the central administrative layer of most shared hosting environments.
A successful exploit allows an attacker to:
- Gain full root access to the server
- Modify or delete all hosted websites
- Steal database and email data
- Install backdoors and persistent malware
- Pivot into customer or internal networks
In essence, compromise of cPanel equals full infrastructure compromise.
🧠 Root Cause
The issue lies in how session data is handled:
- The function responsible for saving sessions writes user input directly into session files
- CRLF characters (\r\n) are not properly filtered in one execution path
- When session files are later re-parsed, injected lines become trusted key-value pairs
This leads to session state corruption and privilege escalation.
🧪 Attack Chain (Simplified)
- Attacker initiates a login request, creating a pre-auth session
- Malicious input containing CRLF sequences is injected into the password field
- Session file is written with unescaped newline characters
- A secondary request triggers session re-parsing
- Injected values are interpreted as valid session attributes
- Session is upgraded to:
- user=root
- hasroot=1
- tfa_verified=1
- Attacker gains full administrative access via WHM
📊 Detection Indicators
Suspicious signs include:
-
Session files under:
/var/cpanel/sessions/raw/ -
Unexpected entries such as:
- user=root
- hasroot=1
- Multiple pass= entries in a single session file
-
Access logs showing:
-
/login/?login_only=1returning401 - Followed by immediate requests with
Authorization: Basic - Session reuse with unusual cpsess tokens
-
🛡️ Mitigation
Immediate Actions
- Upgrade cPanel/WHM to patched versions:
- 11.110.0.97+
- 11.118.0.63+
- 11.126.0.54+
- 11.132.0.29+
- 11.134.0.20+
- 11.136.0.5+
Verify version:
/usr/local/cpanel/cpanel -V
Network Hardening
-
Restrict access to management ports:
- 2082 / 2083 (cPanel)
- 2086 / 2087 (WHM)
- 2095 / 2096 (Webmail)
-
Allow only trusted IP ranges
-
Block public exposure of admin interfaces
Monitoring & Forensics
- Forward session logs to SIEM systems
- Audit:
- SSH keys
- cron jobs
- new root-level processes
- Inspect session file anomalies in
/var/cpanel/sessions/raw/
🚨 If Compromise Is Suspected
- Assume full server compromise
- Do not trust in-place cleanup
- Rebuild server from clean images
- Rotate all credentials and SSH keys
- Notify affected users/customers
- Perform lateral movement analysis
🧩 Broader Security Insight
This vulnerability highlights a systemic issue:
- A single vendor controls a large portion of global hosting infrastructure
- Most organizations cannot patch independently
- Exposure depends heavily on hosting provider response time
This creates a centralized risk model, where one vulnerability can impact millions of websites simultaneously.