Critical cPanel Authentication Vulnerability (CVE-2026-41940) — Update Your Server Immediately
- CVE-2026-41940 enables authentication bypass in cPanel & WHM
- Active exploits were detected before the official patch release
- All supported cPanel versions were impacted
- Hosting providers blocked ports 2083, 2087, 2095, and 2096 as emergency mitigation
- cPanel released patches within hours; immediate update is required
A newly discovered cPanel security vulnerability in cPanel has raised serious issues across the web hosting industry, as it impacts all supported versions of cPanel and WHM. The cPanel flaw (CVE-2026-41940) specifically targets the platform’s authentication mechanism, potentially allowing attackers to bypass login protections and gain unauthorized control over hosting environments.
What Really Happened?
On April 28, 2026, cPanel released an emergency advisory confirming a security vulnerability in authentication paths affecting cPanel & WHM.The Linux-based hosting control panels owned by WebPros International and used by millions of websites worldwide.
Security researchers and hosting providers confirmed that active exploitation was observed before a patch was released, making this a high-risk zero-day security incident in the web hosting industry.
This incident is now widely referred to as a cPanel authentication bypass vulnerability affecting hosting infrastructure globally.
Hosting Providers confirmed that “successful exploits were seen in the Wild” before the patch was even available, calling it a “zero-day authentication and privilege escalation bug affecting almost all known cPanel versions, both end-of-life and supported”.
Who was Affected?
The vulnerability affects all the recent versions of cPanel and WHM, after version11.40. cPanel confirmed the issue affected all currently supported versions without exception.
This widespread exposure makes it one of the most significant cPanel security vulnerabilities in recent years, affecting millions of websites hosted on shared, VPS, and reseller environments.
Resolution
cPanel have pushed out a patch for the following cPanel and WHM version;
| Sr. No. | cPanel & WHM Version |
|---|---|
| 1 | 11.86.0.41 |
| 2 | 11.110.0.97 |
| 3 | 11.118.0.63 |
| 4 | 11.126.0.54 |
| 5 | 11.130.0.19 |
| 6 | 11.132.0.29 |
| 7 | 11.136.0.5 |
| 8 | 11.134.0.20 |
CPanel has also pushed out a patch for the following WP Squared version:
| Sr. No. | WP Squared Version |
|---|---|
| 1 | 136.1.7 |
This rapid release marks one of the fastest responses to a cPanel authentication bypass exploit in recent history.
Industry Response: Ports Blocked Within Hours
The broader web hosting industry news response was immediate. Within hours of the advisory going public, the hosting industry moved fast. Major providers blocked cPanel and WHM network ports entirely as an emergency measure while awaiting the official patch.
Namecheap was among the first to respond publicly, stating the vulnerability “relates to an authentication login exploit that could allow unauthorized access to the control panel.” As an immediate precaution, Namecheap applied a firewall rule blocking TCP ports 2083 and 2087, temporarily cutting off customer access to cPanel and WHM interfaces. By April 29, 2026, 02:42 a.m. UTC, the patch had been applied across their Reseller and Stellar Business servers.
KnownHost, InMotion Hosting, hosting.com, and HostPapa also blocked cPanel-related ports at the network level.
Ports blocked as emergency measures across the industry:
- 2082 / 2083 — cPanel HTTP/HTTPS
- 2086 / 2087 — WHM HTTP/HTTPS
- 2095 / 2096 — Webmail
- 2077 / 2078 — WebDisk
These emergency mitigations were deployed as part of a coordinated hosting industry security response to the cPanel zero-day exploit. Crucially, websites, applications, databases, and email continued operating normally throughout the incident. Only the control panel interfaces were inaccessible.
cPanel released the official fix approximately 2–3 hours after the public advisory. Full deployment across major providers took 6–7 hours from initial disclosure.
Timeline
| Date / Time (UTC) | Event |
|---|---|
| April 28, 2026 (before advisory) | Active exploitation confirmed in the wild by KnownHost |
| April 28, 2026 | cPanel publishes emergency security advisory |
| April 28, 2026 (within hours) | Namecheap, KnownHost, InMotion, HostPapa, hosting.com block cPanel ports |
| April 28, 2026 (~2–3 hrs after advisory) | cPanel releases official patch |
| April 28, 2026 (~6–7 hrs after advisory) | Full deployment across major hosting providers |
| April 29, 2026, 02:42 UTC | Namecheap confirms patch fully applied to all eligible servers |
Required Actions Released by cPanel
Following the discovery of the critical vulnerability, cPanel & WHM has officially released a security advisory outlining immediate steps that server administrators must take to secure their systems.
Force update cPanel:
| Command | /scripts/upcp –force |
cPanel strongly advises updating affected servers to the latest patched versions, therefore, administrators are strongly advised to apply the cPanel emergency patch immediately using:
Restart cPanel service:
Once you have updated, verify, and confirm the cPanel build version being returned and perform a restart of the cPanel service (cpsrvd):
| Command | /usr/local/cpanel/cpanel -V |
| Command | /scripts/restartsrv_cpsrvd |
Manual update for Restricted Setups
If automatic updates are disabled or your system is pinned to a specific version, it will not update automatically. In such cases, you must manually update those servers on priority.
cPanel also provides guidance on customizing update preferences via the command line for better control over future updates. If your server is managed by a provider, it’s important to confirm that patches have been applied or consider switching to a secure cPanel hosting provider that handles updates proactively.
Alternative Mitigation
If you are not able to apply the update immediately, cPanel recommends the following temporary mitigations:
Block inbound traffic on the following ports at the firewall:
| Ports | 2083, 2087, 2095, 2096 |
You can stop vulnerable services using:
| Command | whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd –stop && /scripts/restartsrv_cpdavd –stop |
