Published On: Apr 30, 2026 14:03
Advisory No: TZCERT-SA-26-0140
Source: CPANEL
Software Affected: cPanel & WHM 11.86.0 < 11.86.0.41, cPanel & WHM 11.110.0 < 11.110.0.97, cPanel & WHM 11.118.0 < 11.118.0.63, cPanel & WHM 11.126.0 < 11.126.0.54, cPanel & WHM 11.130.0 < 11.130.0.18, cPanel & WHM 11.132.0 < 11.132.0.29, cPanel & WHM 11.134.0 < 11.134.0.20, cPanel & WHM 11.136.0 < 11.136.0.5 and WP Squared 11.136.1 < 11.136.1.7
A critical-severity vulnerability (CVSS 9.8) has been identified in cPanel & WHM and is currently being actively exploited on a global scale. Tracked as CVE-2026-41940, the flaw enables unauthenticated remote attackers to bypass authentication and gain full administrative control over affected servers. The vulnerability has been confirmed as actively exploited in the wild, underscoring the urgency for immediate remediation.
The vulnerability originates in cPanel & WHM's saveSession function (Cpanel/Session.pm), where the failure to consistently invoke the filter_sessiondata() sanitization routine allows unauthenticated attackers to inject arbitrary CRLF-delimited entries into flat key=value session files for example, injecting hasroot=1 to escalate privileges by embedding newline characters in the password field of a Basic Authentication request; this is compounded by the absence of the per-session ob obfuscation secret, which causes the password to be written to disk in cleartext, and is reachable through the cpsrvd Basic Authentication handler, which invoked saveSession without prior sanitization.
Indicators of compromise include repeated malformed network requests, unusual pre-authentication connections to cPanel/WHM, abnormal session-related log events, and unexpected access patterns in the absence of valid credentials.
Successful exploitation of CVE-2026-41940 may result in:
1. Full root-level administrative control over the affected server via WHM;
2. Access to all hosted cPanel accounts and their associated websites, email, and databases;
3. The ability to modify SSL/TLS certificates, DNS configurations, and server-level security settings;
4. Potential for lateral movement across shared hosting environments affecting all tenants on the server.
cPanel has released patches addressing this vulnerability. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
