A critical authentication-bypass vulnerability (CVE-2026-41940) in cPanel/WHM is being actively exploited in the wild, allowing unauthenticated attackers to gain administrator-level control of hosting systems. The flaw lets attackers manipulate the whostmgrsession cookie and inject raw rn into session files to escalate privileges, prompting WebPros to publish an advisory and patches on April 28. #CVE-2026-41940 #cPanel
Keypoints
- CVE-2026-41940 is an authentication bypass in cpsrvd that enables unauthenticated admin access to cPanel hosts.
- Attackers exploit the flaw by omitting segments of the whostmgrsession cookie and injecting raw rn via a malicious basic authorization header.
- In-the-wild exploitation has been observed since February 23 and may have occurred earlier.
- WebPros released fixes and advisories on April 28; hosting providers have been blocking WHM/cPanel ports and applying updates.
- Mitigations include updating cPanel, verifying builds, restarting cpsrvd, blocking ports 2083/2087/2095/2096, stopping cpsrvd/cpdavd, and scanning for indicators of compromise.
Read More: https://www.helpnetsecurity.com/2026/04/30/cpanel-zero-day-vulnerability-cve-2026-41940-exploited/