CVE-2026-41940

Name of the Vulnerable Software and Affected Versions cPanel & WHM versions prior to 11.110.0.97 cPanel & WHM versions prior to 11.118.0.63 cPanel & WHM versions prior to 11.126.0.54 cPanel & WHM versions prior to 11.130.0.18 cPanel & WHM versions prior to 11.132.0.29 cPanel & WHM versions prior to 11.134.0.20 cPanel & WHM versions prior to 11.136.0.5 WP Squared versions prior to 11.136.1.7

Description An authentication bypass exists in the login flow of the cpsrvd service daemon, allowing unauthenticated remote attackers to gain full administrative root access to the control panel. The issue is caused by a CRLF (Carriage Return Line Feed) injection—where r characters are used to manipulate data—within the Authorization header during a failed login attempt to the '/login/?login only=1' endpoint. By manipulating a cookie to disable password encryption, an attacker can inject arbitrary properties, such as user=root, hasroot=1, and tfa verified=1, directly into the session file located at '/var/cpanel/sessions/raw/'. A subsequent request to '/scripts2/listaccts' triggers a session reload, promoting these injected values into memory and bypassing the docheckpass whostmgrd() function. This flaw has been actively exploited in the wild since February 2026, with an estimated 1.5 to 2 million instances exposed globally. Real-world incidents include mass infrastructure breaches where attackers deleted site files and deployed ransomware.

Recommendations Update to version 11.110.0.97 or later. Update to version 11.118.0.63 or later. Update to version 11.126.0.54 or later. Update to version 11.130.0.18 or later. Update to version 11.132.0.29 or later. Update to version 11.134.0.20 or later. Update to version 11.136.0.5 or later. Update WP Squared to version 11.136.1.7 or later. As a temporary mitigation, restrict access to ports 2082, 2083, 2086, 2087, 2095, and 2096 to trusted IP addresses only. After updating, restart the cpsrvd service and rotate all root passwords, API tokens, SSL private keys, SSH keys, and database passwords.