Improper Privileges Management in cPanel/WHM Products by cPanel, Inc.
CVE-2026-29205

8.6HIGH

Key Information:

Vendor: Webpros
Status: Cpanel; WP Squared
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-29205?

CVE-2026-29205 is a vulnerability found in cPanel/WHM products, which are widely used web hosting control panel systems designed for managing web servers and hosting environments. This particular vulnerability arises from improper privileges management and insufficient path filtering, enabling potential unauthorized access to arbitrary files on the server through cpdavd attachment download endpoints. The risks associated with this vulnerability could lead to significant security breaches, as malicious actors could exploit these flaws to access sensitive information stored on the server. By compromising the integrity of the server, attackers may affect not only the immediate hosting environment but also the websites and applications relying on this infrastructure, leading to data leakage and operational disruptions for affected organizations.

Potential impact of CVE-2026-29205

Unauthorized File Access: Attackers can exploit this vulnerability to read arbitrary files on the server, which could include sensitive data, configuration files, and user credentials. This unauthorized access can lead to data breaches, compromising the confidentiality and integrity of affected systems.
Operational Disruption: The exploitation of this vulnerability can result in significant operational impacts as unauthorized access may allow attackers to manipulate or corrupt critical system files. Such disruptions can hinder web service functionality and lead to downtime, affecting both the service provider and its customers.
Increased Risk of Subsequent Attacks: With access to sensitive files and configurations, attackers could potentially escalate their attacks. They may use the information gained to launch further exploits within the organization or against associated systems, increasing the overall risk profile and potential impact of a security incident.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

cPanel 11.136.0.0 < 11.136.0.10

cPanel 11.134.0.0 < 11.134.0.26

cPanel 11.132.0.0 < 11.132.0.32

References

https://support.cpanel.net/hc/en-us/articles/404370202999...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29205 Data

JSON

Webpros