Insufficient Ownership Checks in WHMCS Affecting User Resources
CVE-2026-29204

9.1CRITICAL

Key Information:

Vendor: Webpros
Status: Whmcs
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-29204?

The WHMCS Client Area is susceptible to a security flaw where inadequate ownership checks allow authenticated users to exploit clientarea.php. This vulnerability enables an attacker to submit requests using another user's addonId, bypassing proper ownership validation. Consequently, this can lead to unauthorized access to sensitive resources and data within a victim's cPanel account, posing a significant security risk for WHMCS users. Immediate attention to this issue is essential to safeguard user accounts and prevent potential exploitation.

Affected Version(s)

WHMCS 7.4.0 <= 18.12.2

WHMCS 18.13.0 < 18.13.3

WHMCS 9.0.0 < 9.0.4

References

https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29204 Data

JSON

Webpros

What is CVE-2026-29204?

Affected Version(s)

References

CVSS V3.1

Timeline