# cPanel and WHM Authentication Bypass CVE-2026-41940 Allows Root Access _Friday, May 1, 2026 at 12:23 AM EDT · Cybersecurity · Latest · Tier 1 — Major_ ![cPanel and WHM Authentication Bypass CVE-2026-41940 Allows Root Access — Primary](https://storage.ghost.io/c/a0/dc/a0dcbbe4-0ae7-4d7e-90f7-ebbc3a0f5a84/content/images/size/w1200/2026/04/Group-8730--2-.png) Security researchers at watchTowr Labs have disclosed a critical authentication bypass vulnerability in cPanel and WHM, a web hosting control panel platform that manages an estimated 70 million domains. The flaw, tracked as CVE-2026-41940, affects all currently supported versions of the software and has been actively exploited in the wild as a zero-day. The vulnerability stems from improper session handling in cpsrvd, the core server daemon. An attacker can craft a malicious HTTP Basic authentication request combined with a modified session cookie to inject key-value pairs into a session file on disk. By exploiting a missing output buffer segment in the cookie, the attacker can write plaintext control directives including hasroot=1 and successful_internal_auth_with_timestamp into the session state. The attack chain begins with a failed login request to mint a pre-authentication session. The attacker then sends a Basic auth header containing carriage-return and line-feed characters within the password field, paired with a session cookie stripped of its comma-separated hex key. Because the session loader prefers a JSON cache file over the raw session file, the injected lines initially remain hidden. However, by triggering a token-denied error through a request lacking a security token, the attacker forces the server to invoke a session modification routine that reads the raw file and repopulates the cache with the injected values now parsed as top-level keys. Once the cache is poisoned, subsequent requests using the same session bypass password validation entirely. The server sees successful_internal_auth_with_timestamp as set and returns AUTH_OK without consulting the system's shadow password file, granting the attacker root-level administrative access to WHM. cPanel has released patched versions across all supported release tracks, including 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. Hosting provider KnownHost confirmed that in-the-wild exploitation was already underway before the patch was available. ## Sources - [watchTowr Labs](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/) --- Canonical: https://techandbusiness.org/newswire/g1aj2zIELD5OFzhPGjcO78 Retrieved: 2026-05-01T06:36:10.282Z Publisher: Tech & Business (techandbusiness.org)