Latest cPanel vulnerability: CVE-2026-41940 authentication bypass and Exim fixes explained

The latest major cPanel security story is CVE-2026-41940, an authentication bypass issue in cPanel & WHM and WP Squared. cPanel published the emergency advisory on April 28, 2026 and updated it on April 29, 2026 with patched versions, required actions, and an indicator-of-compromise detection script.

This is a high-priority issue for hosting providers, managed service providers, web agencies, and anyone running cPanel servers exposed to the internet.

The short version: update immediately, check for indicators of compromise, invalidate suspicious sessions, review logs, and treat affected WHM access as a potential full-server incident.

What happened

cPanel says an authentication bypass security issue was identified in cPanel software, including DNSOnly, affecting all versions after 11.40. The patched cPanel & WHM versions listed in the advisory are:

• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.130.0.18
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

cPanel also lists WP Squared 136.1.7 as patched.

Because cPanel and WHM manage hosting accounts, DNS, email, databases, files, domains, SSL, and server administration workflows, an authentication bypass is not a minor web bug. It can become a server control problem.

Why this vulnerability matters

cPanel servers are attractive targets because one successful compromise can expose many sites at once. A hosting server may contain:

• customer websites
• databases
• email mailboxes
• DNS zones
• backups
• SSL material
• cron jobs
• SSH keys
• application secrets
• reseller accounts
• WHM administrator access

If an attacker reaches WHM-level access, the impact can extend across the entire hosting environment. That is why authentication bypass vulnerabilities in control panels are urgent.

Required administrator actions

cPanel's advisory directs administrators to update to a patched version using the cPanel update script. In normal cPanel environments, that means running:

/scripts/upcp

After updating, administrators should verify the installed cPanel version and confirm the system is no longer on an affected build.

Updating is necessary, but it is not always sufficient. If exploitation may have occurred before patching, administrators need incident response, not only patch management.

IOC checks

cPanel published a detection script for session-file indicators. The advisory describes suspicious artifacts involving session files, token-related values, pre-authentication state, and suspicious two-factor authentication markers.

Administrators should run the official script from cPanel's advisory, review the output carefully, and preserve evidence before deleting anything if an incident investigation may be required.

High-priority areas to review include:

• /var/cpanel/sessions
• WHM access logs
• authentication logs
• /var/log/wtmp
• root login history
• newly created WHM users
• modified reseller privileges
• unexpected SSH keys
• suspicious cron jobs
• changed packages or binaries
• unfamiliar web shells in hosted accounts

If indicators are found, assume the server may be compromised until proven otherwise.

Incident response checklist

For suspected exploitation:

1. Preserve relevant logs and session files.
2. Update cPanel to a fixed version.
3. Run cPanel's IOC detection script.
4. Purge affected or suspicious sessions.
5. Force password resets for root and WHM users.
6. Rotate API tokens and access hashes.
7. Review WHM user and reseller privileges.
8. Audit SSH keys and sudo-capable accounts.
9. Check cron, systemd units, startup scripts, and web roots for persistence.
10. Review outbound traffic and DNS changes.
11. Notify affected customers if hosted account compromise is confirmed.
12. Rebuild from clean backups if system integrity cannot be trusted.

The most important judgment call is whether the server can be trusted after cleanup. If root-equivalent access is confirmed, rebuilding may be safer than trying to surgically remove attacker changes.

Logs to prioritize

Start with logs that can answer who accessed WHM, from where, and what changed:

• WHM access logs
• cPanel session files
• secure/auth logs
• shell history where available
• package manager logs
• web server access logs
• FTP and mail logs
• DNS zone modification history
• backup access logs

Look for unusual IP addresses, impossible travel, sudden privilege changes, new accounts, repeated failed logins followed by success, and commands that create persistence.

Hosting provider impact

For hosting providers, the operational response should be coordinated. One compromised control panel server can affect many customers, so providers should:

• identify all exposed cPanel and DNSOnly instances
• patch fleet-wide
• run IOC checks consistently
• centralize results
• prioritize internet-facing WHM endpoints
• communicate with customers transparently
• review backups before restoration
• watch for mass web-shell deployment
• rotate shared operational credentials

Providers should also consider temporarily restricting WHM access to trusted IP ranges where practical.

Related Exim CVEs

In early May 2026, cPanel also published an advisory for several Exim vulnerabilities affecting versions prior to Exim 4.99.2:

• CVE-2026-40684
• CVE-2026-40685
• CVE-2026-40686
• CVE-2026-40687

cPanel says updated Exim packages were released in cPanel & WHM versions 136.0.7, 134.0.23, 118.0.64, and 110.0.112.

These Exim issues are separate from CVE-2026-41940, but they matter because cPanel servers commonly expose mail services. Administrators should verify both the cPanel application version and the Exim package version.

Hardening after patching

After emergency patching, reduce future exposure:

• restrict WHM access by IP where possible
• enforce MFA for WHM users
• remove unused WHM and reseller accounts
• rotate API tokens periodically
• disable password authentication for SSH where feasible
• monitor control panel logins centrally
• keep cPanel auto-updates enabled
• alert on new WHM users and privilege changes
• keep backups offline or immutable
• scan hosted accounts for web shells

For many organizations, the control panel is the most privileged web application they operate. It deserves the same monitoring as identity systems, VPN gateways, and firewalls.

Bottom line

CVE-2026-41940 is a serious cPanel & WHM authentication bypass issue with direct operational impact for hosting environments. The priority is immediate patching to cPanel's fixed versions, followed by IOC checks and incident response where suspicious session artifacts or unauthorized access appear.

Do not treat this as a routine update if your WHM interface was exposed during the vulnerable window. Patch first, then verify whether compromise occurred. For cPanel servers, control panel integrity is server integrity.