Search for the Solution?
URGENT: Fix CVE-2026-41940 Authentication Bypass in cPanel & WHM Issue April 2026
UPDATED: Fix CVE-2026-41940 & All May 2026 cPanel/WHM Security Vulnerabilities — Complete Patch Guide (April–May 2026)
Posted: April 30, 2026 | Updated: May 20, 2026 | By: myglobalHOST
⚠️ CRITICAL UPDATE — May 20, 2026: cPanel has released another emergency security patch (SEC-73728, SEC-73755) today — approximately 12 hours ahead of the originally scheduled release — due to an actively exploited privilege-escalation vulnerability in the LiteSpeed User-End cPanel Plugin. This patch also automatically uninstalls the LiteSpeed User-End cPanel Plugin as an interim security measure. Update to cPanel 11.136.0.13 immediately. Full details below.
The Big Picture: April–May 2026 — The Worst Month in cPanel Security History
What began on April 28, 2026 as the disclosure of a single critical authentication bypass has cascaded into the most severe sustained security incident cPanel has experienced in its history. In the span of fewer than 23 days, cPanel’s development team (WebPros International) has been forced to issue four separate emergency Technical Security Releases (TSRs), addressing a total of seven distinct vulnerabilities spanning CVSS scores from 4.3 to 9.8.
Here is the complete timeline at a glance:
| Date | Release | Vulnerabilities | Severity |
|---|---|---|---|
| April 28, 2026 | TSR-Apr-28 | CVE-2026-41940 (Authentication Bypass) | Critical — CVSS 9.8 |
| May 8, 2026 | TSR-May-08 | CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 | High — CVSS 8.8, 8.8, 4.3 |
| May 13, 2026 | TSR-May-13 | Five additional CVEs (up to High severity) | Up to High |
| May 19/20, 2026 | TSR-May-19 | SEC-73728, SEC-73755, LiteSpeed plugin RCE | High — active exploit |
If your server is not running cPanel 11.136.0.13 (or the equivalent patched build for your version branch) as of today, May 20, 2026, it is unpatched against at least one actively exploited vulnerability. Stop reading and run /scripts/upcp --force right now, then return to this article for the full post-patch checklist.
Part 1: CVE-2026-41940 — The Authentication Bypass That Started It All
What Is CVE-2026-41940?
CVE-2026-41940 is a CVSS 9.8 Critical authentication bypass vulnerability. According to NIST’s National Vulnerability Database, cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
The Technical Root Cause
CVE-2026-41940 is caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel and WHM. Before authentication occurs, cpsrvd (the cPanel service daemon) writes a new session file to disk. The vulnerability allows an attacker to manipulate the whostmgrsession cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value. Attackers can inject raw \r\n characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as user=root, into their session file — effectively granting themselves full root-level administrative access to your WHM and all hosted accounts without ever entering a password.
How Long Was This Exploited Before a Patch?
KnownHost found this flaw being exploited as a zero-day since late February 2026 — meaning servers were compromised approximately two months before an urgent patch was released by cPanel developer WebPros International on April 28, 2026.
The Scale of Compromise
Shadowserver Foundation reported more than 44,000 IPs were likely compromised, based on a spike in scanning, exploits, and brute force attacks against its honeypot sensors.
Following the patch, threat actors weaponized the vulnerability to deliver Mirai botnet variants and a ransomware strain called “Sorry.”
CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply patches by May 3, 2026.
Part 2: May 8, 2026 — Three New Vulnerabilities (CVE-2026-29201, 29202, 29203)
Just 10 days after the CVE-2026-41940 patch, cPanel issued a second emergency TSR. The rapid follow-up was not coincidental — the CVE-2026-41940 incident triggered a deep internal code audit, and that audit found three more problems.
CVE-2026-29201 — Arbitrary File Read (CVSS 4.3 — Moderate)
An insufficient input validation of the feature file name in the feature::LOADFEATUREFILE adminbin call that could result in an arbitrary file read. While rated Moderate, in practice this allows an authenticated attacker to read sensitive configuration files, credentials, and internal paths — intelligence that can be used to stage more damaging follow-up attacks.
CVE-2026-29202 — Arbitrary Perl Code Execution (CVSS 8.8 — High)
An insufficient input validation of the plugin parameter in the create_user API call that could result in arbitrary Perl code execution on behalf of the already authenticated account’s system user. An authenticated account holder can execute commands as their own system user. Combined with a privilege escalation path, this puts the entire server at risk.
CVE-2026-29203 — Unsafe Symlink / Privilege Escalation (CVSS 8.8 — High)
An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation. CVE-2026-29202 and CVE-2026-29203 can be chained: execute code to create the symlink, then use the chmod escalation to gain deeper access.
Part 3: May 13, 2026 — Five Additional CVEs (Up to High Severity)
On May 13, 2026, cPanel issued a third TSR covering five additional vulnerabilities rated up to High severity. This was the third emergency patch in 15 days. The full technical details of these five CVEs are available in cPanel’s official security advisory at support.cpanel.net. Server administrators should ensure their version is at or above the May 13 patched build before the May 19 update further superseded it.
Part 4: May 19/20, 2026 — The Latest Emergency Patch (SEC-73728, SEC-73755, LiteSpeed RCE)
Why This Patch Was Released 12 Hours Early
This is the most recent and currently active emergency patch. According to cPanel’s official communication received May 20, 2026:
“Due to an actively exploited vulnerability in the LiteSpeed User-End Plugin — a third-party plugin that integrates with cPanel — this security release was published approximately 12 hours ahead of the originally scheduled May 20, 2026 release.”
An actively exploited privilege-escalation vulnerability in the LiteSpeed User-End cPanel Plugin was found allowing unauthorized root access. Given active exploitation in the wild, cPanel made the decision to publish early rather than risk additional server compromises.
What This Release Addresses
SEC-73728 and SEC-73755 — Two security issues addressed in this release. Full technical details are available in the linked cPanel support articles at support.cpanel.net. Both are rated as significant enough to warrant an emergency out-of-cycle release.
LiteSpeed User-End cPanel Plugin — Privilege Escalation (Root Access) — Actively Exploited A privilege-escalation vulnerability in the LiteSpeed User-End cPanel Plugin allowing unauthorized root access, actively exploited in the wild. As an interim security measure, this cPanel release automatically uninstalls the LiteSpeed User-End cPanel Plugin from all servers during the update process.
Important: This is the LiteSpeed User-End cPanel Plugin (a server-side integration tool), not the LiteSpeed Cache WordPress plugin. If you use LiteSpeed Web Server on your cPanel server and have the User-End Plugin installed, it will be automatically removed during this update. You will need to reinstall a patched version once one is made available by LiteSpeed.
Special Note for CloudLinux 6 / CentOS 6 Users
“Customers on CentOS 6 or CloudLinux 6 should update to the cl6110 branch (11.110.0.120) before manually updating.”
If your server is running CloudLinux 6 or CentOS 6, do not run a standard /scripts/upcp --force without first ensuring you are on the cl6110 branch. Contact your hosting provider or myglobalHOST support if you are unsure.
Complete Action Plan: How to Patch Your Server Right Now
Step 1: Check Your Current Version
/usr/local/cpanel/cpanel -V
Compare your output against the patched versions table below.
Step 2: Patched Version Reference Table (TSR-May-19 — As of May 20, 2026)
Update to at minimum the following build for your version branch:
| Branch | Minimum Patched Version |
|---|---|
| 11.136 (Current RELEASE) | 11.136.0.13 |
| 11.134 | 11.134.0.27+ |
| 11.132 | 11.132.0.31+ |
| 11.130 | 11.130.0.21+ |
| 11.126 | 11.126.0.56+ |
| 11.118 | 11.118.0.65+ |
| 11.110 | 11.110.0.120 (cl6110 for CL6) |
| 11.86 | 11.86.0.43+ |
| WP Squared | 136.1.12+ |
Recommendation: If you are running any branch below 11.130, now is an excellent time to consider migrating to the current RELEASE tier (11.136). Older branches receive security patches but may not receive all performance and feature improvements.
Step 3: Run the Update
For CloudLinux 6 / CentOS 6 servers — do this first:
# Set the cl6110 branch target
nano /etc/cpupdate.conf
# Set: CPANEL=11.110.0.120
# Save and exit, then run:
/scripts/upcp --force
For all other servers:
/scripts/upcp --force
Run this inside a screen session to protect against SSH disconnection during the update:
screen -S cpanel_update
/scripts/upcp --force
# Reconnect if disconnected: screen -r cpanel_update
Step 4: Verify the Update and Restart Services
# Confirm new version
/usr/local/cpanel/cpanel -V
# Restart the cPanel service daemon
/scripts/restartsrv_cpsrvd
The version output should match or exceed the patched version for your branch listed in the table above.
Step 5: Verify the LiteSpeed Plugin Was Removed (May 19 Patch)
If you had the LiteSpeed User-End cPanel Plugin installed:
# Check if the plugin is still present
ls /usr/local/cpanel/whostmgr/docroot/cgi/addons/litespeed*
# Or check via WHM Plugins list
whmapi1 get_available_plugins
If the update ran successfully, the plugin should no longer appear. If it is still present, manually remove it:
/usr/local/cpanel/scripts/uninstall_plugin /path/to/litespeed_plugin
Contact your hosting provider or myglobalHOST support if you need assistance.
Post-Patch: Check for Indicators of Compromise (IOC)
Patching alone is not sufficient if your server was running a vulnerable version during any window between late February 2026 and today. Given that CVE-2026-41940 was exploited as a zero-day for approximately two months before patching, you must actively investigate whether your server was accessed during that window.
Step 1: Run the cPanel IOC Detection Script
cPanel has provided an official Indicators of Compromise (IOC) detection script that scans for compromised session files. Obtain the latest version from the official cPanel security advisory at support.cpanel.net/hc/en-us/sections/200386544.
# Create the detection script file
nano ioc_checksessions_files.sh
# Paste the official cPanel IOC script contents from the advisory
# Save and exit (Ctrl+X, Y, Enter)
# Run the detection script
/bin/bash ./ioc_checksessions_files.sh
Important: Always use the latest version of the IOC script from cPanel’s official advisory. cPanel updated the script multiple times after the initial release to reduce false positives.
Step 2: Interpret the Results
If the script returns “CLEAN”: No indicators of compromise were found in session files. Proceed to the hardening checklist below.
If the script returns “WARNING”: Suspicious patterns detected. Treat as potentially compromised and proceed with the emergency cleanup below.
If the script returns “CRITICAL”: Active compromise indicators found. Your server should be treated as fully compromised. Execute the emergency cleanup immediately and consider engaging a professional incident response team.
Emergency Cleanup: If Indicators of Compromise Are Detected
If the IOC script returns WARNING or CRITICAL, execute all of the following steps immediately:
1. Purge All Active Sessions
# Clear all cPanel session files (this logs out all active WHM/cPanel sessions)
rm -rf /var/cpanel/sessions/*
This forces all currently authenticated sessions — including any attacker sessions — to be invalidated immediately.
2. Force Password Resets for All Administrative Accounts
# Change root password
passwd root
# Reset WHM reseller passwords via WHM interface:
# WHM → Account Functions → Password Modification
Change passwords for:
- The
rootsystem user - All WHM reseller accounts
- All cPanel accounts with elevated privileges
3. Audit Access Logs for Unauthorized Access
Review these logs for suspicious IP addresses and unusual authentication patterns, specifically looking for activity from late February 2026 onwards:
# cPanel access log — look for unusual session patterns
grep -i "user=root" /usr/local/cpanel/logs/access_log
# cPanel login log — review all authentication events
tail -5000 /usr/local/cpanel/logs/login_log
# WHM access log
tail -5000 /usr/local/cpanel/logs/whm_access_log
# System login history
last -F | head -100
# Review auth log for SSH anomalies
grep "Accepted" /var/log/secure | tail -100
4. Check for Persistence Mechanisms
Attackers who gained access may have installed backdoors for persistent re-entry:
# Check for unauthorized SSH keys added to root
cat /root/.ssh/authorized_keys
# Check for unauthorized SSH keys added to all cPanel users
for user in $(ls /home/); do
if [ -f /home/$user/.ssh/authorized_keys ]; then
echo "=== $user ==="
cat /home/$user/.ssh/authorized_keys
fi
done
# Check for new cron jobs added recently
crontab -l
ls -la /etc/cron.d/
ls -la /var/spool/cron/
# Check for recently modified system files (last 30 days)
find /usr/local/cpanel/bin -newer /usr/local/cpanel/version -type f 2>/dev/null
# Check for unexpected SUID binaries
find / -perm -4000 -type f 2>/dev/null | grep -v proc
5. Scan for Web Shells and Malware
If Imunify360 is installed:
# Trigger a full server malware scan
imunify360-agent malware on-demand --path /home/
If using ClamAV:
freshclam
clamscan -r /home/ --infected
6. Emergency Mitigation: Disable cPanel Services (If Unable to Patch Immediately)
If for any reason you cannot immediately apply the patch (unusual circumstances only — patching should always be the first action), completely disable cPanel/WHM port access:
# Block cPanel and WHM ports via firewall (CSF example)
csf -d YOUR_SERVER_IP
# Or using iptables directly:
iptables -I INPUT -p tcp --dport 2082 -j DROP
iptables -I INPUT -p tcp --dport 2083 -j DROP
iptables -I INPUT -p tcp --dport 2086 -j DROP
iptables -I INPUT -p tcp --dport 2087 -j DROP
iptables -I INPUT -p tcp --dport 2095 -j DROP
iptables -I INPUT -p tcp --dport 2096 -j DROP
# Disable cPanel and DAV services entirely
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && \
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && \
/scripts/restartsrv_cpsrvd --stop && \
/scripts/restartsrv_cpdavd --stop
Warning: Disabling these services takes your entire cPanel/WHM interface offline. Only do this as an absolute last resort when patching is not immediately possible. Re-enable services with
whmapi1 configureservice service=cpsrvd enabled=1 monitored=1after patching.
Post-Patch Server Hardening Checklist
Even after patching and completing the IOC check, take these hardening steps to reduce your attack surface going forward:
Restrict WHM/cPanel Port Access
Limit access to cPanel management ports to known, trusted IP addresses only:
# Using CSF firewall — allow only your admin IP to WHM
csf -a YOUR_ADMIN_IP # Allow your IP
# Then block ports 2086-2087 for everyone else in /etc/csf/csf.allow
In WHM, also configure: WHM → Security Center → Host Access Control to restrict cPanel/WHM logins to specific IPs.
Enable Two-Factor Authentication on All Accounts
WHM → Security Center → Two-Factor Authentication — enable 2FA for:
- All WHM root and reseller accounts
- All cPanel accounts, especially those with shell access
Enable cPHulk Brute Force Protection
WHM → Security Center → cPHulk Brute Force Protection — enable and configure with:
- Maximum login failures: 5
- Brute force period: 300 seconds
- IP block time: 3600+ seconds
Configure Automatic Security Updates
Ensure your server is set to receive security updates automatically:
cat /etc/cpupdate.conf
# Should contain: CPANEL=RELEASE
# This ensures automatic updates to the latest patched RELEASE build
Subscribe to cPanel Security Advisories
Subscribe at https://cpanel.net/security/ to receive direct email notifications when new TSRs are published — before they become headlines.
Quick Reference: Full Patch Command Sequence
# 1. Check current version
/usr/local/cpanel/cpanel -V
# 2. For CloudLinux 6 / CentOS 6 only — set cl6110 branch first
# nano /etc/cpupdate.conf → set CPANEL=11.110.0.120
# 3. Run the update (inside screen for safety)
screen -S cpanel_patch
/scripts/upcp --force
# 4. Verify the new version
/usr/local/cpanel/cpanel -V
# Should show 11.136.0.13 or higher
# 5. Restart cPanel daemon
/scripts/restartsrv_cpsrvd
# 6. Run IOC detection script (obtain from support.cpanel.net)
/bin/bash ./ioc_checksessions_files.sh
# 7. If CRITICAL/WARNING returned, purge sessions
rm -rf /var/cpanel/sessions/*
# 8. Reset root password
passwd root
Frequently Asked Questions
Q: My WHM shows a red banner saying “There is a critical security update.” What do I do? Run /scripts/upcp --force via SSH immediately. The red banner is cPanel’s built-in alert system indicating your current build predates a security patch. Do not dismiss the banner without patching.
Q: I patched on April 28 for CVE-2026-41940. Am I still protected? No — not against all current vulnerabilities. Three additional TSRs have been issued since April 28. You must update to the May 19/20 patched build (11.136.0.13 or equivalent for your branch) to be protected against all currently known vulnerabilities including the active LiteSpeed plugin exploit.
Q: Will the LiteSpeed User-End cPanel Plugin be automatically removed from my server? Yes. The May 19 patch automatically uninstalls the LiteSpeed User-End cPanel Plugin as an interim security measure. This is only the cPanel-side plugin, not the LiteSpeed Cache WordPress plugin. Standard website caching continues to function normally.
Q: My server was on an unpatched version during February–April 2026. Does patching make it safe? Patching closes the vulnerability going forward, but it does not undo damage from a past compromise. If your server was potentially exposed during the zero-day window (late February to April 28), you must run the IOC detection script, audit your logs, check for backdoors, and potentially engage incident response support. Contact myglobalHOST if you need assistance.
Q: How do I know if my server was compromised by CVE-2026-41940? Run the official cPanel IOC detection script (available from support.cpanel.net). Additionally, review /usr/local/cpanel/logs/login_log and /usr/local/cpanel/logs/access_log for anomalous session authentication entries, particularly looking for user=root values injected via cookie manipulation.
Q: Is there a CVSS score for the SEC-73728 / SEC-73755 vulnerabilities in the May 19 patch? cPanel’s official notification indicated these are rated up to High severity. Full CVE identifiers and CVSS scores for SEC-73728 and SEC-73755 will be published in cPanel’s official security advisory at support.cpanel.net following standard disclosure timelines.
myglobalHOST Response: How We Protected Our Clients
At myglobalHOST, we monitor cPanel’s security advisory channel continuously. Upon receiving the first TSR pre-disclosure notification on April 27/28, 2026, our team immediately:
- Initiated emergency patch deployment across all managed Proxmox VMs and WHM nodes
- Ran the IOC detection script on all potentially exposed servers
- Performed session purges and password resets on flagged servers
- Notified all managed hosting clients with a full status update
For the May 8, May 13, and May 19 follow-up patches, our team applied updates within hours of each release becoming available — before public exploitation of those vulnerabilities could occur.
If you are a managed client, your servers have been patched. If you are self-managing your cPanel/WHM server and need assistance with any step in this guide — patch verification, IOC scanning, log auditing, or emergency response — our team is available 24/7.
Conclusion: This Is Not Over
The April–May 2026 cPanel security incident is a turning point. Four TSRs in 23 days. Seven distinct vulnerabilities. 44,000 confirmed compromises from a single zero-day. Active exploitation of a third-party plugin leading to an emergency early release.
This is not normal. This is what an extended code audit under crisis conditions looks like — and it may not yet be finished. Server administrators who manage cPanel/WHM infrastructure must accept that the security posture required in 2026 is fundamentally different from what was adequate in prior years. Automatic updates on the RELEASE tier, 2FA on all accounts, port restrictions, Imunify360 with active monitoring, and regular IOC scanning are no longer optional extras — they are baseline requirements.
Patch today. Audit your logs. Harden your access. Stay subscribed to cPanel security advisories.
Need Expert Help?
If you are unsure whether your server is fully patched, if the IOC script returned a WARNING or CRITICAL result, or if you need hands-on assistance with emergency incident response on your cPanel/WHM, VPS, or dedicated server infrastructure, myglobalHOST’s technical team is available 24/7. We specialize in managed Proxmox, VPS, and dedicated server security, and we were among the first hosting providers to respond to each of the April–May 2026 cPanel vulnerabilities.
