Researcher discloses cPanel CVE‑2026‑41940

A security researcher used X and YouTube on May 21 to publish a fresh walkthrough of CVE-2026-41940, a cPanel/WHM authentication-bypass flaw that official advisories say can let unauthenticated attackers gain access to the control panel. The disclosure matters because cPanel had already issued an April 28 security update for the bug, and NIST’s National Vulnerability Database now describes it as affecting cPanel and WHM versions after 11.40. (nvd.nist.gov) Public exploit material tied to the CVE was already circulating before this week, including multiple YouTube explainers and a GitHub proof-of-concept referenced by NVD. (support.cpanel.net) The immediate point for operators is straightforward: this is not a newly assigned CVE, but a newly amplified public disclosure cycle around an already critical flaw. cPanel said it had pushed patches across supported branches, and NVD lists the issue with a critical severity score from VulnCheck. ### What exactly did the researcher publish on May 21? James Olajide’s May 21 post, cited in the source briefings for this story, pointed readers to a YouTube thread describing a cPanel/WHM authentication vulnerability tied to CVE-2026-41940. The briefing says the material included proof-of-concept guidance, exploitation steps and demonstrations of remote command execution in tested environments on multiple cPanel versions. (support.cpanel.net) YouTube search results tied to the CVE show public videos describing the flaw as an authentication bypass in the login flow and, in some cases, as a route to root-level takeover or command execution. Those descriptions align with the broader public framing around the bug, though the strongest primary-source language comes from cPanel and NVD. (support.cpanel.net) ### What do cPanel and NIST say the bug is? NIST’s National Vulnerability Database says CVE-2026-41940 affects “cPanel and WHM versions after 11.40” and is “an authentication bypass vulnerability in the login flow” that allows “unauthenticated remote attackers to gain unauthorized access to the control panel.” NVD shows a CVSS 3.1 base score of 9.8 from VulnCheck and a CVSS 4.0 base score of 9.3. (youtube.com) cPanel’s April 28 advisory uses similar language. The company said “an authentication bypass security issue has been identified in the cPanel software (including DNSOnly) affecting all versions after 11.40.” (youtube.com) ### Which versions did cPanel say were patched? cPanel’s support advisory says patched versions include 11.86.0.41 and higher, 11.94.0.28 and higher, 11.102.0.39 and higher, 11.110.0.97 and higher, 11.118.0.63 and higher, 11.124.0.35 and higher, 11.126.0.54 and higher, 11.130.0.19 and higher, 11.132.0.29 and higher, 11.134.0.20 and higher, and 11.136.0.5 and higher. (nvd.nist.gov) The company also listed WP Squared 136.1.7 and higher, plus a direct update for customers on CentOS 6 or CloudLinux 6 using v110.0.50. The same advisory says all later versions are patched as well. (support.cpanel.net) That means the practical question for administrators is not whether the CVE exists, but whether their installed branch is at or above one of the fixed builds cPanel named. ### Why are researchers tying it to command execution? Public reporting and exploit references around CVE-2026-41940 go beyond simple panel access. The Hacker News reported last week that the flaw was under active exploitation to deploy a Filemanager backdoor, and NVD links to a GitHub exploit and third-party technical write-up as references for the CVE. (support.cpanel.net) That is the backdrop for Olajide’s May 21 materials: the claim in the briefing is not just that login bypass was possible, but that the path could be driven to remote command execution in tested environments. cPanel’s own advisory does not use the phrase “remote code execution,” but public exploit materials and media coverage have framed post-authentication compromise as severe because WHM access can expose broad administrative control. (support.cpanel.net) ### What should operators look at next? cPanel’s April 28 advisory tells customers to update immediately with `/scripts/upcp --force`, verify the installed build with `/usr/local/cpanel/cpanel -V`, and restart the cPanel service with `/scripts/restartsrv_cpsrvd --hard`. (thehackernews.com) The advisory also warns that servers with disabled updates or pinned versions will need manual attention. NVD’s reference list points administrators to the vendor advisory, release notes, a GitHub exploit reference and CISA’s Known Exploited Vulnerabilities catalog entry for CVE-2026-41940. (support.cpanel.net) Those are the named places operators can use next to confirm exposure, patch level and any follow-up indicators of compromise. (nvd.nist.gov)