CVE-2026-41940

Name of the Vulnerable Software and Affected Versions cPanel and WHM versions prior to 11.86.0.41 cPanel and WHM versions prior to 11.110.0.97 cPanel and WHM versions prior to 11.118.0.63 cPanel and WHM versions prior to 11.124.0.35 cPanel and WHM versions prior to 11.126.0.54 cPanel and WHM versions prior to 11.130.0.19 cPanel and WHM versions prior to 11.132.0.29 cPanel and WHM versions prior to 11.134.0.20 cPanel and WHM versions prior to 11.136.0.5 WP Squared versions prior to 136.1.7

Description A critical authentication bypass exists in the pre-authentication session logic of the cpsrvd service daemon. The issue stems from improper sanitization of the Authorization header, allowing a CRLF (Carriage Return Line Feed) injection attack. By sending a specially crafted request with encoded CRLF characters, an unauthenticated remote attacker can manipulate temporary session files on disk. This allows the injection of arbitrary properties, such as user=root, which the system then reads as valid attributes, granting the attacker full root administrative access without a password.

Approximately 1.5 to 2 million instances are exposed to the internet. The flaw has been exploited in the wild by various actors, including the Sorry ransomware group and a threat actor known as Mr Rot13. Real-world impacts include the deployment of Golang-based ransomware, the installation of the Filemanager backdoor, and the exfiltration of sensitive data to Telegram channels. Attackers have also used this access to implant SSH public keys and PHP webshells for persistent control.

Technical details include the use of the Authorization header to inject r characters into session files located in /var/cpanel/sessions/. The attack involves manipulating the whostmgrsession cookie to disable password encryption, ensuring injected values are stored in plain text.

Recommendations Update cPanel and WHM to versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, or 11.136.0.5, depending on the current branch. Update WP Squared to version 136.1.7 or later. As a temporary mitigation, block inbound traffic on ports 2082, 2083, 2086, 2087, 2095, and 2096, or restrict access to these ports to trusted static IP addresses or VPN ranges. Alternatively, temporarily stop the cpsrvd and cpdavd services until patching is complete. After patching, rotate all root, WHM/reseller, and user passwords, as well as API tokens, SSL private keys, and SSH keys.