cPanel and WHM Authentication Bypass CVE-2026-41940 Allows Root Access

Security researchers at watchTowr Labs have disclosed a critical authentication The vulnerability stems from improper session handling in cpsrvd, the core server daemon. An attacker can craft a malicious HTTP Basic authentication request combined with a modified session cookie to inject key-value pairs into a session file on disk. The attack chain begins with a failed login request to mint a pre-authentication session. The attacker then sends a Basic auth header containing carriage-return and line-feed characters within the password field, paired with a session cookie stripped of its comma-separated hex key. Because the session loader prefers a JSON cache file over the raw session file, the injected lines initially remain hidden. However, Once the cache is poisoned, subsequent requests using the same session cPanel has released patched versions across all supported release tracks, including 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. Hosting provider KnownHost confirmed that in-the-wild exploitation was already underway before the patch was available.