A critical zero-day vulnerability in cPanel & WHM is giving attackers unauthenticated root-level access to servers managing over tens of millions of domains. No credentials required, no prior access needed — and exploitation was already underway for months before any patch existed.
Tracked as CVE-2026-41940, this vulnerability allows remote attackers to inject arbitrary session properties through a malformed HTTP header, effectively promoting themselves to a fully authenticated root session without ever touching a login form.
CISA Alert: CISA has added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog. The Shadowserver Foundation reports approximately 44,000 unique IPs actively scanning, running exploits, or engaging in brute-force attacks against honeypot sensors.
Vulnerability Overview
What is CVE-2026-41940?
The vulnerability stems from improper session handling in the cpsrvd daemon. Before a user is authenticated, the server writes a new session file to disk. By manipulating the whostmgrsession cookie and omitting an expected segment, an attacker avoids the encryption process that would normally protect user-supplied input.
By embedding raw newline characters (CRLF sequences) inside a crafted Basic Authorization header, the attacker causes the cpsrvd daemon to write unsanitized content directly into the session file on disk. The vulnerability affects all cPanel and WHM versions after 11.4. Successful exploitation grants an unauthenticated remote attacker full administrative access to the affected server.
Risk Assessment
CVE-2026-41940 Risk Profile
Exploit Availability
Public PoC (watchTowr Labs)
CVSS Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Technical Deep Dive
Root Cause of CVE-2026-41940
The vulnerability profile is CWE-93 — Improper Neutralization of CRLF Sequences in HTTP Headers, though CWE-117 (Improper Output Neutralization for Logs/Files) is arguably a closer technical fit, since the CRLF characters land in an on-disk session file.
cPanel handles login sessions through the cpsrvd daemon — the process listening on ports 2083, 2087, 2095, and 2096 that handles login and authorization. When a user attempts to authenticate against WHM, cpsrvd creates a session file on disk before it even verifies the password, saving it in two locations:
/var/cpanel/sessions/raw/<sessionid>— in key=value text format/var/cpanel/sessions/cache/<sessionid>— in JSON format
The exploit chains three distinct weaknesses together to achieve unauthenticated root access:
Step 1
Encryption Skip via Malformed Cookie
The session writer encrypts the password field using a per-session secret embedded in the session cookie. If that secret is missing, the original code skips encryption entirely instead of refusing the operation. An attacker who sends a truncated cookie causes their payload to land on disk in plaintext.
Step 2
CRLF Injection into the Raw Session File
By embedding raw \r\n characters in the Basic Authorization header’s password field, the attacker causes cpsrvd to write additional lines into the raw session file without sanitization. The injected lines land as separate top-level records in the session file, including hasroot=1, tfa_verified=1, user=root, a chosen cp_security_token, and successful_internal_auth_with_timestamp.
Step 3
Cache Promotion via the Token-Denied Handler
Sessions exist in two places. The loader reads the JSON cache first, where injected newlines appear as harmless escape sequences inside a single string. A separate code path — the “token denied” handler — re-parses the raw file and rewrites the cache, promoting the injected lines into top-level keys that the loader will trust. Once that cache is rewritten, cpsrvd reads the session back and treats it as a fully authenticated root session, bypassing both the password check and two-factor authentication entirely.
The Root Cause: A sanitization function (filter_sessiondata) existed in the codebase but had to be manually called by each caller before saving a session. Every other caller invoked it correctly — the Basic-auth handler in cpsrvd did not. The patch resolves this by moving filter_sessiondata inside the saveSession function itself, making safe behavior the structural default rather than an opt-in.
Business Impact
What CVE-2026-41940 Means for Your Hosting Infrastructure
Here is how that plays out across your infrastructure, from the server level down to every account it hosts:
Immediate Threat
Full Server Compromise from a Handful of HTTP Requests
The exploit chain requires only a handful of HTTP requests and zero credentials. From the point of full WHM API access, root remote code execution is trivially achievable through any of the legitimate features WHM exposes — custom hooks, package management, PHP-FPM configuration, and more. There is no second vulnerability needed, no lateral movement required. Administrative access is the exploit’s direct and immediate output.
Blast Radius
Every Hosted Account Is Affected, Not Just the Server
Because WHM sits above every cPanel account on a server, a successful exploit does not stop at the server boundary. Every website, every database, every email account, and every set of credentials belonging to every customer on that server falls within the attacker’s reach. In shared hosting environments, this can mean thousands of end users impacted by a single malicious HTTP request.
MFA Bypass
Two-Factor Authentication Provides No Protection
The CRLF injection writes tfa_verified=1 directly into the session file, simulating a two-factor verification that has already been completed. The system never prompts for a second factor because, from its point of view, it has already been satisfied. Two-factor authentication remains valuable against other attack vectors, but against this specific exploit it provides no defence whatsoever.
Credential Exposure
Credentials Across All Hosted Accounts Are Immediately Accessible
Once inside WHM, an attacker has unrestricted access to SSL private keys, database credentials, email account passwords, DNS configurations, and API tokens stored across every hosted account. These are immediately usable — there is no additional step required to weaponize them against downstream services.
Persistence Risk
Malware and Backdoor Deployment at Scale
With root access to the server, an attacker can install web shells, reverse shells, and persistent backdoors across any or all hosted websites. Even after patching and credential rotation, if the initial compromise goes undetected, these implants maintain attacker access indefinitely — making thorough post-compromise investigation as important as the patch itself.
Scope
Affected Versions
The vulnerability affects all cPanel and WHM installations running the following unpatched versions across each release track:
| Release Track | Patched In |
|---|---|
| cPanel & WHM 110.x | 11.110.0.97 |
| cPanel & WHM 118.x | 11.118.0.63 |
| cPanel & WHM 126.x | 11.126.0.54 |
| cPanel & WHM 132.x | 11.132.0.29 |
| cPanel & WHM 134.x | 11.134.0.20 |
| cPanel & WHM 136.x | 11.136.0.5 |
| WP Squared | 136.1.7 |
Administrators should verify their installed build using /usr/local/cpanel/cpanel -V and treat any instance that was internet-facing prior to patching as potentially compromised regardless of whether active exploitation has been confirmed.
Incident Timeline
Two Months from Zero-Day to Patch — The Exploitation Timeline
Exploitation of CVE-2026-41940 was observed since approximately February 23, 2026 — making this a true zero-day for roughly two months before cPanel’s emergency patch on April 28, 2026. Attackers operated freely against unaware, unpatched infrastructure for weeks while defenders had no basis to detect or respond.
WebPros International published its security advisory on April 28, 2026. Following public disclosure, watchTowr published a full technical analysis and proof-of-concept exploit on April 29, 2026. Major hosting providers including Namecheap, KnownHost, HostPapa, and InMotion preemptively blocked TCP/2083 and TCP/2087 to protect customers ahead of patching.
The Shadowserver Foundation reports approximately 44,000 unique IPs actively scanning, running exploits, or engaging in brute-force attacks against their honeypot sensors. Separately, around 650,000 IPs are currently hosting exposed cPanel and WHM instances. With a public PoC now available and exploitation requiring minimal technical skill, these numbers are unlikely to decline without broad patching across the installed base.
Detection Guidance
How to Detect CVE-2026-41940
Detection requires direct visibility into session file contents and access log correlation patterns. The exploit does not trigger failed authentication events — the injected session appears entirely valid to the system — making standard authentication monitoring insufficient on its own.
Primary Signal
Session File Inspection
Session file inspection is the most direct forensic signal. A pre-authentication session that was never legitimately upgraded should never contain user=root, hasroot=1, tfa_verified=1, or successful_internal_auth_with_timestamp. Security teams should inspect /var/cpanel/sessions/raw/ for any session files carrying these properties — their presence in a pre-auth context is a reliable indicator of exploitation.
Complementary Signal
Access Log Correlation
In cpsrvd access logs, the pattern to identify is a 401 response on /login/?login_only=1 immediately followed by an Authorization: Basic request on a non-login URL from the same source IP. This two-step sequence directly reflects the exploit chain — a failed login that seeds the malicious session file, followed by the injected session being presented for privileged access.
Post-Compromise Review
Artifact Audit
Post-compromise artifact review should follow any confirmed or suspected exploitation. Security teams should audit WHM for unexpected user accounts, SSH keys, and cron jobs, and verify that no unauthorized modifications exist in /etc/, /usr/local/cpanel/, or root’s ~/.bashrc and authorized_keys. cPanel has also provided a dedicated script for customers to search for known indicators of compromise.
Remediation
CVE-2026-41940 — Mitigation & Remediation
Here is the full remediation sequence your team needs to work through:
01
Patch Immediately
Run /scripts/upcp --force to update to the fixed release for your track. Confirm the installed build via /usr/local/cpanel/cpanel -V and restart cpsrvd after the update completes.
Servers with automatic updates disabled or version pinning must be manually prioritized.
02
Assume Compromise if Internet-Facing Pre-Patch
The exploit leaves no failed authentication trace. Log review alone cannot rule out prior exploitation.
Purge sessions in /var/cpanel/sessions/raw/ and /var/cpanel/sessions/cache/, force-reset root and all WHM reseller passwords, rotate API tokens, and re-issue SSH keys.
03
Restrict Management Interface Access
Administrative ports should never be directly reachable from the public internet. Access to WHM and cPanel administration should be limited to known IP ranges or routed through a VPN.
Treat any public exposure of these interfaces as a standing misconfiguration requiring correction independent of this vulnerability.
04
Hunt for Persistence Before Declaring Recovery
Even after patching and credential rotation, audit cron entries system-wide and per-user, review ~/.ssh/authorized_keys, inspect custom WHM hooks, and examine packages installed during the exposure window.
Patching closes the door — it does not evict an attacker who is already inside.
AppTrana Protection
AppTrana WAAP Coverage
AppTrana WAAP customers are protected against CVE-2026-41940. Indusface’s expert team has deployed dedicated detection and blocking rules targeting the specific exploitation patterns associated with this vulnerability — including CRLF injection attempts in Authorization headers and malformed session cookie structures — providing virtual patch coverage for customers while remediation is completed on the server side.
Get Protected Against CVE-2026-41940 Today
AppTrana WAAP’s virtual patching is already active for this vulnerability. Don’t wait for a patch deployment window — protect your hosting infrastructure now.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.