Home SecurityVulnerability of cPanel & WHM / WP2 (Security: CVE-2026-41940)
Security

Vulnerability of cPanel & WHM / WP2 (Security: CVE-2026-41940)

by Ardra Shaji
written by Ardra Shaji
Vulnerability of cPanel & WHM / WP2

Overview of the Vulnerability

This vulnerability in cPanel & WHM is an authentication bypass flaw that can allow an attacker to gain full administrative access without requiring a valid username or password.

Under normal conditions, cPanel authentication follows a secure login flow. However, this vulnerability disrupts that process by allowing manipulated session data to be trusted by the system.

How cPanel Login Normally Works

When a user logs into cPanel/WHM, the following process takes place:

  1. User accesses the WHM/cPanel login page
  2. Username and password are entered
  3. cPanel verifies the credentials
  4. A session file (temporary login ticket) is created
  5. The session is stored on the server
  6. All subsequent requests use this session for authentication

This ensures that only authenticated users can access administrative features.

What Goes Wrong in This Vulnerability

Due to the bug, an attacker is able to manipulate the session file during the login process.

Instead of waiting for proper authentication, cPanel may incorrectly trust session data that has been altered before verification is completed.

How the Attack Works

An attacker can send a specially crafted request containing modified or fake session parameters.

By inspecting login requests using browser developer tools (Network tab), the attacker can alter outgoing requests before they reach the server.

Example Scenario

Normal Request:

user=admin
pass=wrongpassword

Modified Malicious Request:

user=admin
pass=wrongpassword
cp_security_token=/cpsess99999999
successful_external_auth_with_timestamp=1

Note: This is only a conceptual example for understanding the issue.

What the Attacker Achieves

  • No need to know the actual password
  • Injects fake authentication-related parameters
  • Sends a modified request to the server

cPanel then incorrectly processes these values and may treat the session as authenticated.

Root Cause of the Issue

The vulnerability occurs because:

  • The attacker injects a fake token into the login request
  • cPanel writes this data into the session file too early
  • The session file is then used for validation
  • cPanel mistakenly trusts the manipulated session data

In Simple Terms:

cPanel trusted session data that was influenced by attacker-controlled input before authentication was completed.

Fixed Versions Released by cPanel

The issue has been patched in the following versions:

11.86.0.41
11.110.0.97
11.118.0.63
11.126.0.54
11.130.0.19
11.132.0.29
11.136.0.5
11.134.0.20

If your system is running any of these versions, the vulnerability is considered fixed. Older versions may still be at risk.

Required Actions (Update Process)

To secure your server, update cPanel using:

/scripts/upcp --force

Verify Update Status

/usr/local/cpanel/cpanel -V

Restart cPanel Service

/scripts/restartsrv_cpsrvd

Temporary Mitigation (If Update Is Not Possible)

If immediate updating is not possible, you can reduce exposure by blocking access to cPanel services:

2083 → cPanel  
2087 → WHM  
2095 → Webmail  
2096 → Webmail SSL

Important Drawback:

Blocking these ports will also prevent legitimate users and administrators from accessing cPanel/WHM until access is restored.

Detection of Potential Exploitation

cPanel also provides a detection script to identify signs of compromise. It checks for the following red flags:

1. Fake Token + Failed Token Combination

token_denied=1  
cp_security_token=/cpsessXXX  
origin=method=badpass

2. Pre-Authentication Session Claiming Login Success

3. 2FA Marked as Passed Without Valid Login

4. Password Field Containing Hidden Newlines

Detection Script Reference: cPanel Security Advisory

Additional Security Recommendations

To further reduce risk and strengthen security posture:

  • Enable IP-based access restrictions for WHM/cPanel
  • Restrict access using VPN-only administration
  • Monitor logs for unusual or repeated login attempts
  • Enforce strong password policies
  • Enable Multi-Factor Authentication (MFA) for all admin users

Conclusion

This vulnerability highlights how session handling flaws can lead to serious authentication bypass issues in critical systems like cPanel & WHM. While patches are available, securing access through layered controls such as IP restriction, MFA, and monitoring is essential to reduce exposure and prevent exploitation.

Worried about cPanel/WHM security vulnerabilities or need help securing your server infrastructure?

Get expert assistance from SupportPro for proactive monitoring, patch management, and 24/7 technical support to keep your systems safe and fully protected.

Facing issues?

Our technical support
engineers can solve it.

Contact Us today!
guy server checkup

Ardra Shaji is a Startup Strategy Consultant who helps startups and web hosting companies tackle common technical challenges. She guides founders and teams in improving server performance, security, backups, and infrastructure, while supporting growth through practical and actionable technology strategies.

You may also like

How Managed Cloud Services Improve Security and Compliance...

How to Detect a DDoS Attack on a...

Access Key Rotation: Security Best Practices for Production...

How cPGuard Simplifies Server Security for Hosting Providers...

How to Restore Safe Files Flagged by CPGuard...

How to Use CPGuard CLI for Powerful Server...

Strengthening Server Hosting Compliance: ISO, GDPR, and Beyond

GCP Security : Expert-Approved Tactics to Protect Your...

Best Software Tools to Prevent Attacks on Servers...

How to Proactively Manage WordPress Plugin Security Risks

Leave a Comment