CVE-2026-41940

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

critical 9.8 CVSS 3.1

Published: Apr 29, 2026

Modified: Apr 30, 2026

Vendor: Cpanel

Product: Cpanel

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

References

https://docs.cpanel.net/release-notes/release-notes
https://docs.wpsquared.com/changelogs/versions/changelog/#13617
https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940

CVSS Breakdown

Version	3.1
Score	9.8 / 10
Severity	critical

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness (CWE)

CWE-306

Affected Product

Vendor	Cpanel
Product	Cpanel