CVSS 9.8 Critical — CISA KEV — Actively Exploited
cPanel CVE-2026-41940
Vulnerability Scanner
Check if your cPanel / WHM server is vulnerable to the critical authentication bypass that put 1.5 million hosting servers at risk. Passive version check — no exploit code, no credentials, no server changes.
Only scan servers you own or have written permission to test. Port checked: 2082 (cPanel HTTP), 2083 (cPanel HTTPS), 2086 (WHM HTTP), 2087 (WHM HTTPS).
How the Attack Works
CRLF Injection → Session Hijacking → Root Access
CVE-2026-41940 is a CRLF injection in cPanel's session-handling code. By injecting raw carriage-return/line-feed sequences into an Authorization header, an attacker can write arbitrary properties to a session file — including user=root — and gain full admin access without any credentials.
:2082 / :2083 / :2086 / :2087
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Feb 23, 2026 — First exploitation in the wild
CVE-2026-41940 was being actively exploited as a zero-day against hosting providers. Attackers targeted WHM accounts at shared hosting companies to deploy malware and pivot to customer sites.
Apr 28, 2026 — cPanel patch released
WebPros released patched builds across 8 branches (11.86–11.136). By this date the vulnerability had been exploited for over 2 months with no vendor fix available.
Apr 30, 2026 — Added to CISA KEV catalog
CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities catalog, requiring all U.S. federal agencies to remediate by May 3, 2026.
May 3, 2026 — CISA remediation deadline
Federal deadline passed. ~1.5M internet-exposed cPanel instances remain. Researchers estimate over 200,000 remain unpatched as of this date based on Shodan version telemetry.
Patched Versions
All 8 Branches — Patched April 28, 2026
Any version below the minimum patched build for your branch is vulnerable. Most production servers should be on the 11.136.x stable branch.
Source: NVD CVE-2026-41940 · WebPros security advisory · Rapid7 ETR. Branch versions above the minimum listed build are patched. WP Squared (WebPros managed WordPress) is patched at version 136.1.7.
Stop checking manually.
Flowtriq does it automatically.
This tool checks one server, one CVE, one time. Flowtriq's Exposure Scanner runs continuously across every node in your infrastructure, checking for known CVEs, exposed services, and misconfigurations — and alerts you the moment something changes.
- Scans every node for CVE-2026-41940 and 100+ known CVEs automatically
- Detects exploitation attempts — CRLF injection patterns, anomalous WHM sessions, post-exploitation traffic
- Alerts via Slack, Discord, PagerDuty, email, and 8+ more channels in under 1 second
- PCAP forensics capture evidence for incident response and insurance claims
- Built for hosting providers — per-node isolation, multi-tenant workspaces, white-label status pages
7-day free trial · No credit card · $9.99/node/month · 60-second setup
Fix It Now
Remediation Steps
Update cPanel immediately via upcp
The fastest fix. Run from root SSH on the server — this downloads and applies the latest patched build for your current branch.
Alternatively: update via WHM UI
Log in to WHM → navigate to cPanel Store → Upgrade to Latest Version. This is equivalent to running upcp.
If you can't patch immediately: restrict WHM ports
Restrict WHM access (ports 2086/2087) to trusted IPs using CSF or iptables. This doesn't fix the vulnerability but significantly reduces exposure.
Check access logs for prior exploitation
If you were unpatched during the exploitation window (Feb 23 – Apr 28, 2026), check logs for CRLF injection attempts — look for \r\n or %0d%0a in Authorization headers.
Enable continuous exposure monitoring
Manual patching is reactive. Flowtriq's Exposure Scanner automatically checks your cPanel nodes for known CVEs, alerts you when new vulnerabilities affect your stack, and monitors for post-exploitation indicators — so you're never 65 days behind on a critical 9.8 again.
FAQ