A critical security vulnerability, CVE-2026-41940, has been identified in cPanel & WHM software (including DNSOnly). This flaw allows for an authentication bypass, affecting all versions of cPanel after 11.40. If you see a red warning banner in your WHM dashboard stating, “There is a critical security update to cPanel & WHM,” you must act immediately to protect your server from unauthorized access.

The Threat: What is CVE-2026-41940?

The vulnerability involves a session injection flaw where attackers can bypass standard authentication protocols. By exploiting indicators such as pre-authentication sessions with injected security tokens, an attacker could potentially gain administrative access to your server.

Required Action Plan

Step 1: Update Your Server Immediately

cPanel has released emergency patches. You must update to one of the following secure versions immediately:

• cPanel & WHM:

  • 11.86.0.41

  • 11.110.0.97

  • 11.118.0.63

  • 11.126.0.54

  • 11.130.0.19

  • 11.132.0.29

  • 11.134.0.20

  • 11.136.0.5

• WP Squared: 136.1.7

Run the update script via SSH:

/scripts/upcp --force

If you do not know how to set correct cPanel version for update / upcp. Please refer to our another knowledge base article at How do I upgrade / downgrade cPanel to a specific version

Step 2: Verify and Restart Services

Once the update is finished, confirm your version and restart the cPanel service to ensure the patch is active:

/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd

Step 3: Check for Indicators of Compromise (IOC)

Even after patching, your server may have been accessed while the window was open. cPanel has provided a detection script to scan for compromised session files.

1. Open Terminal and create a file using

2. nano ioc_checksessions_files.sh

3. Paste the detection script provided in the official cPanel security advisory into this file and save.

4. Once saved, Run the script by below command:

5. /bin/bash ./ioc_checksessions_files.sh
   

What to do if Indicators are Detected

If the script returns a “CRITICAL” or “WARNING” verdict, your server may be compromised. You must perform the following emergency cleanup:

1. Purge all affected sessions: Clear the /var/cpanel/sessions directory.

2. Force Password Resets: Change passwords for root and all WHM users immediately.

3. Audit Logs: Review /var/log/wtmp and WHM access logs for unauthorized IP addresses.

4. Check for Persistence: Scan for unauthorized SSH keys, new cron jobs, or backdoors.

Emergency Mitigation (If you cannot update)

If you are unable to update your version immediately, you must implement these temporary mitigations to prevent exploitation:

• Firewall Block: Block inbound traffic on ports 2083, 2087, 2095, and 2096.

• Disable Services: Stop the cPanel and DAV services entirely:

  whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd --stop
  

Conclusion

When critical vulnerabilities like CVE-2026-41940 emerge, timing is everything. At myglobalHOST, we pride ourselves on being the most proactive partner for your hosting needs. We don’t just provide servers; we provide a high-level security shield. At myglobalHOST, we prioritize the security of our hosting infrastructure. If you are a managed client or need assistance securing your Proxmox-based VMs or any VPS or dedicated servers against this vulnerability, our team is available to help you implement these patches and audit your logs for peace of mind.

Our team immediately monitors notices like the one seen recently on 28/29 April 2026 to ensure our clients’ Proxmox VMs and WHM nodes built on VPS / Dedicate servers are patched before threats can be exploited. Whether it’s executing complex detection scripts, managing force updates, or performing non-destructive root password resets, myglobalHOST has the technical expertise to assist you 24/7. Partner with us for a secure, optimized, and expert-managed hosting experience.