Critical cPanel vulnerability actively exploited in the wild

As detailed in Bleeping Computer, a critical authentication bypass vulnerability, identified as CVE-2026-41940, affecting cPanel, WHM, and WP Squared, has been actively exploited by attackers since late February.

The vulnerability stems from a Carriage Return Line Feed (CRLF) injection flaw within the login and session loading processes of cPanel & WHM. This allows attackers to bypass authentication by exploiting improper session handling, where user-controlled input from the Authorization header is written into server-side session files without proper sanitization. Successful exploitation grants attackers control over the host system, its configurations, databases, and managed websites. Hosting providers like KnownHost reported exploitation attempts as early as February 23, 2026.

cPanel released an emergency fix on April 28, 2026, with specific patched versions for affected releases. In response, Namecheap temporarily blocked access to cPanel and WHM ports until patches were applied. Approximately 1.5 million cPanel instances are exposed online, though the exact number vulnerable to this specific flaw is unknown. The vendor strongly advises customers to restart the "cpsrvd" service after applying updates or, if patching is not immediate, to block external access to specific ports and stop core services.

Source: Bleeping Computer