CVE-2026-41940

Overview

CVE-2026-41940 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in WebPros cPanel & WHM and WP Squared. The flaw stems from a CRLF (Carriage Return Line Feed) injection in cPanel's login and session-loading process: the cpsrvd service daemon writes a session file to disk using unsanitized user input before verifying credentials, allowing an unauthenticated attacker to inject arbitrary properties — including user=root — into the session file and establish root-level WHM administrative access with a single HTTP request.

The vulnerability was exploited as a zero-day for over two months before WebPros published an advisory on April 28, 2026. With approximately 1.5 million cPanel instances exposed to the internet and cPanel estimated to power over 70 million domains globally, the potential scope of impact is exceptionally broad.

What is cPanel & WHM?

cPanel is the world's most widely deployed web hosting control panel. It provides website owners and developers with a browser-based interface to manage email accounts, databases, DNS records, file storage, and hosted applications. It is the standard offering from shared hosting providers worldwide.

WHM (Web Host Manager) is the administrative layer above cPanel used by hosting providers to manage entire servers — creating hosting accounts, configuring server-wide security settings, managing DNS zones, and controlling all cPanel instances on a server. WHM access is effectively root-equivalent: an attacker with WHM admin access controls every website, database, and email account hosted on the server.

WP Squared (WP2) is WebPros' managed WordPress hosting platform built on top of cPanel, providing WordPress-specific management on the same infrastructure.

Because a single cPanel/WHM server may host hundreds or thousands of customer websites, a single successful exploitation event can result in mass compromise of all hosted accounts, databases, and associated customer data.

Affected Versions

All cPanel and WHM versions after v11.40 are affected. WP Squared versions prior to 11.136.1.7 are also affected.

Technical Details

Root Cause: Unsanitized Session File Writes Before Authentication

cPanel's service daemon (cpsrvd) uses an on-disk session file store at /var/cpanel/sessions/raw/. When a client initiates a login request, cpsrvd writes a new session file to disk before authentication occurs — capturing the client's cookie and request data as key-value pairs in a line-delimited format.

The vulnerability arises because cpsrvd fails to sanitize CRLF characters (\r\n) from the whostmgrsession cookie value or the password field in a Basic Authorization header before writing this data into the session file.

Exploitation Chain

1. An attacker sends a crafted HTTP request to cPanel's login endpoint, omitting an expected segment of the whostmgrsession cookie value — this causes cPanel to skip the encryption step normally applied to cookie contents.

2. The attacker embeds raw \r\n characters in the malicious header value. When cpsrvd writes the session file, these newlines are honored as line delimiters within the key-value format, allowing the attacker to inject arbitrary session properties.

3. The injected data includes: user=root and cp_security_token=<attacker-chosen-token>.

4. A secondary malformed request causes cpsrvd to reload ("promote") the session from disk into its active in-memory session cache.

5. cPanel reads the injected properties as legitimate authenticated session data, skips password verification, and grants the attacker root-level WHM access for the attacker-chosen token.

The modification lands in an on-disk session file, not an HTTP response header — making standard CRLF-header-injection defenses irrelevant. The full compromise requires no credentials, no user interaction, and works over the internet against any exposed WHM port.

Attack Characteristics

IOC Detection

WebPros released an official detection script (ioc_checksessions_files.sh) that scans session files for injection artifacts. A compromised session file shows:

[!] CRITICAL: Exploitation artifact - token_denied with injected cp_security_token: /var/cpanel/sessions/raw/:Q3f8Ag...
   - cp_security_token=/cpsess04396539398
   - token_denied=1
   - origin=address=<attacker-IP>,app=whostmgrd,method=badpass
   - Verdict: Session was pre-auth (badpass origin) with attacker-injected token

The key indicator is a badpass origin combined with an attacker-injected cp_security_token — sessions created this way were never authenticated via the normal credential flow.

Discovery

CVE-2026-41940 was assigned on April 29, 2026, the day after WebPros published their security advisory. watchTowr Labs published the first public technical analysis and working proof-of-concept on April 29.

However, KnownHost — a managed cPanel hosting provider — confirmed that in-the-wild exploitation was already underway prior to disclosure, with the earliest confirmed exploitation event dated February 23, 2026: over two months before the patch. The party who reported the vulnerability to WebPros may not have been aware of ongoing exploitation. Security commentators have questioned why WebPros did not communicate the vulnerability's existence to hosting providers sooner, or provide interim mitigations while developing the fix.

Exploitation Context

CVE-2026-41940 was exploited at mass scale, combining a critical CVSS score with a massive pre-existing attack surface:

• Zero-day exploitation: Active since at least February 23, 2026 — confirmed by KnownHost
• Internet exposure: Shodan / Rapid7 enumeration identified approximately 1.5 million cPanel instances exposed to the internet
• Domain impact: cPanel powers an estimated 70 million+ domains globally; a single server compromise may expose hundreds of hosted sites
• PoC availability: watchTowr Labs' technical analysis and working exploit published April 29, 2026
• Nuclei template: Hadrian Security published an automated Nuclei detection template (cve-2026-41940-native.yaml) confirming vulnerable instances without false positives
• Confirmed breaches: KnownHost reported roughly 1-in-30 affected servers were compromised before patches were deployed on self-managed systems
• CISA KEV timing: Added one day after public disclosure (April 30), suggesting active federal/critical infrastructure targeting

Successful exploitation grants an attacker control over the cPanel host system, all server configurations and databases, and every website managed on the server. Given WHM's root-equivalent access level, post-exploitation typically includes credential harvesting across all hosted accounts, web shell deployment, and persistent backdoor installation.

Remediation

Recommended Actions

1. Update to fixed versions immediately — cPanel's automatic update mechanism should apply security patches automatically on most managed installations. Verify with cat /usr/local/cpanel/version. Self-managed instances must apply updates manually via upcp.

2. Check for prior compromise — Run WebPros' IOC detection script to scan session files for injection artifacts:

   bash ./ioc_checksessions_files.sh
   

   Download from the cPanel security advisory. Flag any sessions showing badpass origin with injected cp_security_token values.

3. Review WHM access logs — Examine /var/cpanel/logs/access_log and session files in /var/cpanel/sessions/raw/ for unexpected root logins or sessions originating from unknown IP addresses between February 23 and April 28, 2026.

4. Restrict WHM port access — Lock WHM's administrative port (default: TCP 2087) to known management IP ranges at the firewall or hosting provider network level. This eliminates remote exploitation vectors for any future vulnerabilities of this class.

5. Treat confirmed compromises as full server compromise — Successful exploitation grants root WHM access. If prior exploitation is confirmed via the IOC script, assume all hosted account credentials, databases, and private keys have been exfiltrated. Begin incident response procedures including notification of affected hosted customers.

6. Enable automatic cPanel updates — In WHM, navigate to Server Configuration → Update Preferences and set the update tier to RELEASE with automatic updates enabled. This ensures future critical security patches apply promptly.