WebPros cPanel & WHM and WP2 (WordPress Squared) Authentication Bypass via Login Flow (CVE-2026-41940)

Severity Assessment

• Exploitability: 10/10
• Impact: 10/10
• Weaponization Risk: 10/10
• Patch Urgency: 10/10
• Detection Coverage: 3/10

Summary

CVE-2026-41940 is a missing authentication vulnerability (CWE-306) in the login flow of WebPros cPanel & WHM and WP2 (WordPress Squared). Unauthenticated remote attackers can bypass the control panel’s login mechanism, obtaining unauthorized access to the cPanel or WHM administrative interface without valid credentials.

cPanel and WHM are web hosting control panels and server management platforms for shared, VPS, and dedicated Linux hosting environments. The platform manages DNS, email, databases, SSL certificates, file systems, user accounts, and server configuration for hosted domains. Administrative access to a WHM instance gives an attacker root-equivalent control over the hosting server and the accounts it hosts.

The vulnerability was disclosed on April 28, 2026 alongside a security patch. CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog on April 30, 2026, with a required remediation deadline of May 3, 2026 for U.S. federal civilian agencies. watchTowr Labs simultaneously published a public proof-of-concept demonstrating an authentication bypass to remote code execution (RCE) chain, and hosting providers issued status advisories to their customer base confirming active exploitation.

The CVSS 3.1 base score is 9.8 (CRITICAL; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). CVSS 4.0 scores the vulnerability at 9.3. The attack requires no privileges, no user interaction, and no special configuration — a network-accessible cPanel or WHM login page is the prerequisite.

Exploit Chain

The vulnerability resides in the cPanel and WHM authentication logic governing the login flow (CWE-306: Missing Authentication for Critical Function). The login process exposes one or more steps or endpoints that fail to enforce authentication before allowing state transitions or issuing session artifacts:

Stage 1: Initial Request

An attacker sends a crafted request to the cPanel or WHM login interface. The target instance requires no prior knowledge of credentials — the vulnerability is present in the unauthenticated portion of the login flow itself.

Stage 2: State Machine Manipulation

Due to missing authentication enforcement in the login flow’s state handling (CWE-306), the server advances the authentication state machine to a trusted or authenticated state without validating credentials.

Stage 3: Session Acquisition

The attacker receives a valid authenticated session token or cookie granting control panel access at the privilege level of the targeted account.

Stage 4: Post-Authentication Exploitation

With authenticated cPanel or WHM access, the attacker can leverage built-in platform functionality — including the file manager, cron job editor, terminal interface, PHP and CGI configuration, and database management tools — to achieve remote code execution on the underlying Linux host.

Stage 5: Server Takeover

On WHM (the reseller/root-level interface), successful exploitation gives the attacker server-wide administrative access, enabling account takeover for all hosted customers, DNS manipulation, email interception, and persistent backdoor installation.

watchTowr Labs confirmed and published a working proof-of-concept for the auth-bypass-to-RCE chain on April 30, 2026, demonstrating that the authentication bypass is weaponizable without additional prerequisites.

The vulnerability affects cPanel and WHM across actively supported release branches from version 11.40 through 136.x, covering unpatched deployments regardless of release track. WP2 (WordPress Squared), WebPros’s managed WordPress hosting layer built on the cPanel/WHM stack, is separately affected through version 136.1.7.

Detection Guidance

1. Apply vendor patches. Patched versions by release branch: 86.0.41, 110.0.97, 118.0.63, 126.0.54, 130.0.19, 132.0.29, 134.0.20, and 136.0.5 for cPanel and WHM; 136.1.7 or later for WP2. If auto-updates are enabled, verify the installed version and force an update cycle.
2. Audit cPanel and WHM access logs for authentication events that lack a corresponding credential submission — specifically, sessions that advance past the login page without a valid username/password POST, or sessions established from unexpected IP addresses.
3. Review WHM and cPanel activity logs (typically under /usr/local/cpanel/logs/) for anomalous account actions, mass file modifications, new cron jobs, unfamiliar SSH authorized keys, or changes to DNS zone records.
4. Monitor for unexpected child processes spawned from the cPanel or WHM process tree (e.g., /usr/local/cpanel/cpsrvd), particularly shells or network utilities.
5. Audit all cPanel-managed cron jobs and .htaccess files across hosted accounts for injected commands or web shells added after April 28, 2026.
6. Restrict external access to WHM (port 2087) and cPanel (port 2083) via firewall rules where possible. WHM in particular should never be exposed to untrusted networks; access should be limited to known administrative IP addresses using CSF/firewall allowlisting.
7. Rotate all cPanel and WHM account passwords and API tokens immediately on patched instances, as any sessions established during the exposure window may have resulted in credential harvesting.
8. Enable two-factor authentication (2FA) on all cPanel and WHM accounts. While 2FA does not remediate the underlying missing authentication flaw, it limits the utility of harvested credentials in follow-on attacks.
9. Check for unauthorized changes to DNS records, email routing (MX records), and SSL certificate configurations, which are primary targets for attackers with cPanel access.

Indicators of Compromise

Indicators consistent with CVE-2026-41940 exploitation include:

• Authentication events in cPanel/WHM logs showing session establishment without a preceding valid credential submission, or sessions skipping expected login steps.
• Logins to cPanel or WHM from IP addresses not associated with known administrators, particularly from Tor exit nodes, VPN infrastructure, or hosting provider IP ranges inconsistent with the account’s geographic history.
• New or modified cron jobs under any hosted cPanel account created after April 28, 2026 containing base64-encoded commands, reverse shell payloads, or outbound network connections.
• Web shell files (PHP, Perl, CGI) deposited in web-accessible directories under /home/*/public_html/ or in the cPanel default document root.
• Changes to SSH authorized keys under /home/*/.ssh/authorized_keys or /root/.ssh/authorized_keys made after April 28, 2026.
• Anomalous DNS zone record modifications — particularly MX record changes pointing mail delivery to attacker-controlled servers for credential interception.
• The cPanel daemon (cpsrvd) or WHM spawning shell interpreters (/bin/bash, /bin/sh) or network tools (curl, wget, nc) as direct child processes.
• Outbound connections from the web server or cPanel process to non-standard external hosts, particularly on ports 443, 4444, or 8080.

Disclosure Timeline

2026-04-28 — Vendor patch released

WebPros released an out-of-cycle security update for cPanel, WHM, and WP2, patching the authentication bypass vulnerability in the login flow. The security advisory (cPanel/WHM Security Update 04-28-2026) was published simultaneously. Fixed versions were issued across all active release branches.

2026-04-29 — CVE-2026-41940 published by NVD

The National Vulnerability Database published CVE-2026-41940 with a CVSS 3.1 base score of 9.8 (CRITICAL). The source identifier disclosure@vulncheck.com indicates coordinated disclosure through VulnCheck. NVD classification includes CWE-306 (Missing Authentication for Critical Function) and notes the vulnerability covers cPanel and WHM versions after 11.40 across all affected release branches.

2026-04-30 — CISA adds CVE-2026-41940 to KEV; watchTowr Labs publishes PoC

CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog with a required remediation deadline of May 3, 2026, confirming active in-the-wild exploitation. Concurrently, watchTowr Labs published a public proof-of-concept demonstrating the authentication bypass to RCE chain. Hosting providers including Namecheap issued status advisories to customers confirming active exploitation.

Sources & References

• National Vulnerability Database: CVE-2026-41940 — National Vulnerability Database, 2026-04-29
• CISA: Known Exploited Vulnerabilities Catalog — CVE-2026-41940 — CISA, 2026-04-30
• cPanel / WebPros: cPanel/WHM Security Update 04-28-2026 — cPanel / WebPros, 2026-04-28
• VulnCheck: cPanel and WHM Authentication Bypass via Login Flow — VulnCheck, 2026-04-29
• watchTowr Labs: cPanel/WHM AuthBypass to RCE Proof of Concept — watchTowr Labs, 2026-04-30
• WP Squared (WebPros): Changelog Version 136.1.7 Entry 13617 — WP Squared (WebPros), 2026-04-28