cPanel disclosed a critical authentication vulnerability on April 28, 2026, affecting all supported versions of cPanel and WHM. An attacker could gain root-level server access without authentication. Namecheap InMotion and dozens of hosting providers have blocked TCP ports 2083 and 2087 an emergency patch is now available and update immediately.
If you manage web hosting, and work at any hosting provider or simply manage your website through cPanel, then this news is important for you straight and immediately. cPanel confirmed a critical security vulnerability on April 28, 2026 that affects all currently supported versions of cPanel and Web Host Manager (WHM) the flaw directly impacts multiple authentication paths and gives attackers the ability to gain unauthorized administrative access to the server.
This is an emergency patch situation meaning it was not possible to wait for the normal scheduled update cycle because the risk was so serious that cPanel had to go out of cycle and release the patch. Hosting providers around the world acted in the same way immediately after the vulnerability was disclosed and they blocked ports for cPanel and WHM to prevent attackers from exploiting this window and informed customers that control panel access would be unavailable until a patch was deployed.
Web Hosting Backbone Compromised Entire Internet at Risk
cPanel and WHM are not just software; they are the central nervous system of the web hosting infrastructure. Control panels like cPanel handle complete management of web servers, from email routing to database management, SSL certificate installation to creating individual hosting accounts.
Threat actors prefer authentication vulnerabilities because successful bypass means full administrative privileges. If an attacker bypasses the authentication mechanism and they can deploy malware and steal sensitive customer data or use the compromised infrastructure to launch secondary attacks on other networks.
WHM specifically grants root-level access meaning that with just one compromised WHM account, an attacker can access every website, every database and every email account hosted on that server. Namecheap immediately implemented a firewall rule to block TCP ports 2083 and 2087 as a precautionary measure.
Ports 2083 and 2087 are the same ports used for the cPanel and WHM interfaces and clearly informed customers that until the official patch is released and deployed, control panel access will be temporarily unavailable, but websites email and other services will continue to function normally.
InMotion Hosting took a similar approach closing the ports for cPanel and WHM access on the affected servers at the network level. The company specifically noted that hosted websites, applications, databases, and email all continued to operate normally only control panel interface access was affected.
Hosting.com confirmed that the vulnerability was responsibly disclosed to them and at cPanels own advice and blocked cPanel and WHM access on all managed systems awaiting the patch release and reassuring customers that their websites, emailsand services were not affected. This industry wide coordinated response was a clear signal of how serious this vulnerability was with dozens of major hosting providers partially restricting their services just to keep customers safe.
Emergency Patch Released
The cPanel security team has pushed out emergency patches to all supported release tiers. Administrators should verify that their servers are running one of these secure builds: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20 and 11.136.0.5.
Server operators can manually enforce the update process by using the command-line interface — executing the /scripts/upcp –force command will cause the server to fetch and install the latest patched release directly from the official repositories.
According to Namecheap, the fix was successfully applied to Reseller Stellar Business servers and remaining servers as of 2:42 AM UTC on April 29, 2026. After applying the patch, administrators should review their authentication logs and look for any suspicious login attempts, unexpected account creations or unusual administrative activities that occurred before patching to identify whether someone attempted exploitation.
For environments running end-of-life or unsupported versions, the advisory also includes a critical warning This same authentication flaw exists in older versions but will not receive this emergency fix. Administrators managing these legacy servers should plan to migrate to the supported release track as soon as possible.
In the interim deploying strict firewall rules enforcing multi-factor authentication, and utilizing IP allowlisting for WHM access can help mitigate the immediate exploitation risk. This vulnerability is currently broken, and millions of websites across the internet were potentially affected by this flaw. If any of your servers are on cPanel and verifying the patch should be your number one priority now.
