cPanel CVE-2026-29205: arbitrary file reads via cpdavd make rapid patching the right move

Shared hosting and control-plane vulnerabilities are rarely just "someone else's infrastructure problem." cPanel's May 2026 advisory for CVE-2026-29205 describes a condition where arbitrary files could be read through certain cpdavd endpoints because of incorrect privilege dropping and insufficient path filtering. The update became more urgent when cPanel later said an additional fix was required and had been backported across supported branches.

That second fix is the detail administrators should not miss. This is not simply a matter of applying a patch once and moving on. Teams need to confirm they received the expanded update.

Why arbitrary file reads are serious on hosting control planes

An arbitrary file read on a hosting control plane can expose far more than one application's data. The platform may hold customer configuration, internal metadata, service credentials, account details, mail configuration, and other operational secrets. Even when the bug is not framed as straight remote code execution, file disclosure can be enough to support broader compromise.

For cPanel environments, the problem becomes especially sensitive because the control layer often sits near email, DNS, web hosting, and account-management functions. A weakness in the wrong endpoint can expose material that helps attackers move from disclosure to persistence.

What cPanel says happened

cPanel states that CVE-2026-29205 affected versions 120 and higher and made arbitrary file reads possible through certain cpdavd endpoints. The vendor also says the issue stemmed from a combination of incorrect dropping of privileges and insufficient path filtering.

Then came the operationally important update: on May 14, cPanel says it released an additional fix that expanded on the first May 13 release and backported the change across supported versions. That means administrators should verify not only that they patched, but that they patched to the revised builds.

Versions to verify

cPanel's updated advisory calls out patched build levels including:

• 11.124.0.40 and later
• 11.126.0.61 and later
• 11.130.0.25 and later
• 11.132.0.34 and later
• 11.134.0.28 and later
• 11.136.0.12 and later

It also lists a patched WP Squared version. The bigger operational lesson is that "we updated yesterday" is not a sufficient answer unless the installed version is checked against the revised fixed build.

Immediate action if patching is blocked

cPanel gives unusually direct emergency guidance: if administrators cannot update immediately, they should block inbound traffic on ports 2079 and 2080 at the firewall until remediation is complete.

That is exactly the kind of guidance teams should use when maintenance windows lag. If the vendor is telling you which exposed path to reduce, the safest response is to reduce it right away rather than waiting for a cleaner weekend.

Practical response workflow

For hosting teams, the right workflow is:

1. identify every cPanel and WP Squared system in scope
2. confirm current versions rather than assuming patch status
3. force the update process on affected systems
4. verify the installed version after update
5. temporarily restrict the affected ports where patching is delayed
6. document which servers were on the first patch and which received the follow-up fix

This is also a good moment to review whether those ports are exposed more broadly than they need to be.

Investigation questions

If a server remained exposed during the vulnerable window, defenders should ask:

• were ports 2079 or 2080 reachable from untrusted networks?
• were there unusual requests to cpdavd endpoints?
• did file-access patterns or control-plane logs look abnormal?
• were there customer reports of unexpected account behavior?
• did all systems get the post-expansion fix, or only the initial update?

The phrase "arbitrary file read" should trigger a secrets review mindset, not just an availability or bug-fix mindset.

Why the follow-up patch changes priorities

Second-wave patch updates can create false confidence. Administrators may believe the issue is closed because the original advisory was already addressed. But cPanel's own language makes clear that the later fix expanded the earlier remediation. That means version drift inside a fleet is likely unless teams deliberately re-check every affected branch.

In practice, these situations often leave the most operationally busy servers behind, exactly where risk is highest.

Bottom line

CVE-2026-29205 is a strong example of why control-plane file-read flaws deserve immediate attention. The issue affects cPanel & WHM versions 120 and higher, and the vendor explicitly says an additional fix was required after the first release.

Upgrade to the revised patched builds, verify the actual installed versions, block ports 2079 and 2080 if you cannot patch yet, and review exposed systems for suspicious access. In hosting environments, arbitrary file reads are rarely "just disclosure." They are often the first useful gift an attacker gets.