Authentication Bypass Vulnerability in cPanel and WHM
CVE-2026-41940

9.3CRITICAL

Key Information:

Vendor

Cpanel, L.l.c.

Status
Cpanel & Whm
WP Squared
Vendor
CVE Published:
29 April 2026

What is CVE-2026-41940?

The affected versions of cPanel and WHM contain a serious authentication bypass flaw in the login flow. This vulnerability enables unauthenticated remote attackers to bypass authentication mechanisms, allowing them to gain unauthorized access to the control panel. Users of the specified versions are highly encouraged to update to the latest versions to mitigate the risks posed by this vulnerability. Regularly updating cPanel and WHM is essential for maintaining system security and protecting sensitive data.

Affected Version(s)

cPanel & WHM 11.110.0 < 11.110.0.97

cPanel & WHM 11.118.0 < 11.118.0.63

cPanel & WHM 11.126.0 < 11.126.0.54

References

https://support.cpanel.net/hc/en-us/articles/400737875796...
vendor-advisorypatch
https://docs.cpanel.net/release-notes/release-notes
release-notes
https://docs.wpsquared.com/changelogs/versions/changelog/...
release-notes

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.