CVE-2026-41940 A CVSS 9.8 zero day authentication bypass flaw in cPanel and WHM compromised over 70 million domains. CRLF injection allowed root-level WHM access without a password. WatchTowers public PoC was released and the exploitation lasted for 30 days before the patch. Patch immediately.
A large portion of websites on the Internet are managed through cPanel and WHM, the platform that allows hosting providers, server administrators, and website owners to control their domains, databases, emails, and SSL certificates from one place.
Now imagine if the login mechanism of this platform were breached without a password, without a valid account, with just a crafted HTTP request. This is what CVE-2026-41940 did. On April 28, 2026, cPanel released a security update that addresses a critical vulnerability affecting cPanel & WHM and WP Squared products.
The identifier CVE-2026-41940 was assigned on April 29, has a CVSS score of 9.8, and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access. This vulnerability affects all supported versions of cPanel & WHM and the platform that manages over 70 million domains.
But what makes this flaw truly alarming is not just its severity, but the fact that it was actively exploited long before the patch and forcing almost every major hosting provider in the world to shut down their services in an emergency.
CRLF Injection One Small Character Full Server Control
CVE-2026-41940 A carriage return is caused by line feed (coffee injection) in the login and session loading processes of Spannel and Wham.The cpsrvd cPanel service daemon writes a new session file to disk before authentication.
This vulnerability allows an attacker to manipulate the whosmgrsession cookie by leaving out an expected segment of the cookie value, thereby avoiding the encryption process that would normally be applied to the attacker-provided value.
Attackers inject raw \r\n characters via a malicious Basic Authorization header, and write to the system session file without sanitizing the data. As a result the attacker inserts arbitrary properties and such as user=root into their own session file.
WatchTower Labs researcher Sina Kheirkhah publicly released the full technical blueprint of this exploit chain. The first step in the attack chain is minting a pre-authentication session via a failed login to obtain a base session identifier.
The second step is sending a crafted HTTP Basic Authorization header containing fake session records separated by \r\n in the password field such as hasroot=1 tfa_verified=1 user=root and successful_internal_auth_with_timestamp while deliberately stripping the obfuscated portion of the session cookie to bypass encryption.
This injection is hidden in the session file on disk which is invisible through the JSON cache but a specific code path in do_token_denied reads the raw file again and the injected lines become top-level JSON cache entries. WHM root-level access is then confirmed by requesting the /json-api/version endpoint which returns an HTTP 200 response.
The root cause of this flaw was that a sanitization function called filter_sessiondata existed but was never called within the saveSession itself. Every caller was expected to invoke it manually, and a critical code path in the core server daemon cpsrvd did not do this. Means A fundamental coding oversight a function that was written but not called in the right place exposed 70 million domains to zero-click authentication bypass.
Exploitation Active 30 Days Before Patch
Benjamin Harris, CEO and founder of watchTower Labs confirmed to The Hacker News This call is an unauthenticated authentication bypass in cPanel and WHM and deployed on tens of thousands of servers and exposed to a meaningful chunk of the internet.
Within hours of the advisory dropping, nearly every major hosting provider on the planet firewalled their customers from their own products. Hosting.com, Namecheap, KnownHost, HostPapa, InMotion and others all applied the emergency brake because the alternative was to see their entire customer base compromised in real-time.
KnownHost confirmed that the exploitation window was not hours but less than 30 days and the vulnerability was being exploited as a zero-day against the internets management layer long before cPanel acknowledged a problem.
NIST National Vulnerability Database describes the flaw as cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that could allow unauthenticated remote attackers to gain unauthorized access to the control panel.
Due to cPanel dominant position in the shared hosting market, the attack surface is very large, and the barrier to exploitation has dramatically decreased since the public PoC release and opportunistic threat actors are expected to incorporate this into mass-scanning campaigns.
It is important to apply the patch immediately. cPanel has released emergency patches for these versions: 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5 and the patched version for WP Squared deployments is 136.1.7.
For an immediate update run the /scripts/upcp –force command and then verify the build version with /usr/local/cpanel/cpanel -V and restart the service with /scripts/restartsrv_cpsrvd. Servers that are not available for patching should block inbound traffic on ports 2083, 2087, 2095 and 2096.
Servers running unsupported cPanel versions should be treated as compromised until proven otherwise. Enable two-factor authentication on WHM restrict access to only trusted IPs and audit your login logs for windows before the April 28 port blocks take effect to identify any suspicious access.
