A critical authentication-bypass vulnerability, CVE-2026-41940, in cPanel, WHM, and WP Squared is being actively exploited in the wild and was observed in attempts as early as February 23, 2026. Patches were released on April 28 and vendors recommend restarting cpsrvd, blocking management ports, and using published detection scripts to verify and remediate instances. #CVE-2026-41940 #cPanel
Keypoints
- CVE-2026-41940 is an active authentication bypass affecting cPanel, WHM, and WP Squared with exploitation seen since late February.
- The flaw is a CRLF injection in the login and session-loading processes where the Authorization header is written to session files without proper sanitization.
- Published technical analysis from watchTowr shows how the bug can bypass password validation and enable exploit development.
- cPanel released fixes on April 28 and advises restarting the cpsrvd service; temporary mitigations include blocking ports 2083/2087/2095/2096 or stopping cpsrvd and cpdavd.
- Detection scripts from cPanel and watchTowr are available and Rapid7 warns successful exploitation grants attackers full control over hosts, configurations, databases, and managed websites.