cPanel flaw allows root bypass

cPanel is the software a lot of hosting companies use to run shared servers. If you can break into it, you are not just stealing one website — you are stepping into the control room for everything on that box. That is why CVE-2026-41940 is such a nasty story. It is a pre-authentication bug, which means attackers do not need a valid password first, and cPanel says it affects all currently supported versions until patched. ### What actually broke? The flaw sits in cPanel and WHM’s authentication flow. Security writeups describe it as an auth bypass that lets an attacker tamper with server-side session data and get treated like an already authenticated user. In plain English — the login screen still exists, but the software can be tricked into believing the user already passed it. ### Why is root access the scary part? WHM is the administrator layer above ordinary cPanel accounts. If an attacker lands there as root, they can reset hosting passwords, read or change site files, create accounts, pull database credentials, and interfere with email. On a shared host, one successful compromise can spill across many customers because the panel manages the whole server, not just one tenant. ### Was this just theoretical? No — that is the part that changed this from “patch soon” to “drop everything.” cPanel’s own security notice says unauthorized logins were occurring, and multiple security outlets say exploitation was seen in the wild before the patch landed. CISA has also added the bug to its Known Exploited Vulnerabilities catalog, which is basically the government’s way of saying this is not a lab exercise anymore. ### Which systems are affected? cPanel says the issue hit all currently supported versions of cPanel & WHM, plus WP Squared, and the affected range stretches back to releases after version 11.40. That broad version span is why the story got so much attention — this was not one oddball branch or a niche plugin. It touched the mainstream control panel stack used across a huge slice of web hosting. ### What did cPanel release? The company published emergency fixes on April 28, 2026, then kept updating its advisory with patched builds and a revised detection script on May 1. The patched versions listed in public support threads include 110.0.97 and 134.0.20, with tier 11.124 also getting an updated fix path. So this has been moving in real time, not as a one-and-done bulletin. ### Why are people talking about millions of servers? Because cPanel is everywhere. Security coverage tied the exposure to roughly 1.5 million internet-facing instances, using outside telemetry as a rough measure of how many panels could be reachable. That does not mean all of them were compromised, but it does mean the attack surface was big enough that hosting providers had to assume widespread scanning almost immediately. ### What should admins be doing right now? Patch first. Then verify the patched build actually installed, rotate credentials that touch the server, review logs for unauthorized WHM or cPanel sessions, and run cPanel’s updated detection tooling carefully because the first script revision produced some false positives. If a box shows. ### Bottom line This bug matters because it turns a hosting control panel into a front door with the lock skipped. cPanel has patches out, but the hard part now is figuring out who updated in time and who got quietly touched before they did.