CVE-2026-41940 is a critical authentication bypass in cPanel and WebHost Manager, rated CVSS 9.8. The vulnerability lets a remote attacker forge a valid session as root by exploiting how cPanel parses the Authorization header. Public proof-of-concept exploits are on GitHub. Shadowserver Foundation counted 44,000 IPs likely compromised through this bug by 30 April 2026, dropping to roughly 3,540 by 3 May as defenders started patching. The decline is patching plus reimaging, not the attackers losing interest.

Patch first. Read the rest after.

What the bug is

The vulnerability is a CRLF (carriage return / line feed) injection in how cPanel handles the Authorization header on incoming HTTP requests. By embedding \r\n sequences in the header value, an attacker can manipulate the parser into writing arbitrary content into the whostmgrsession cookie file. With a carefully crafted payload, the session file ends up containing user=root, and the next request authenticates as root without any credentials having been validated.

The bug affects cPanel/WHM versions after v11.40. Patched versions are:

  • 11.86.0.41
  • 11.110.0.97
  • 11.118.0.63
  • 11.126.0.54
  • 11.130.0.19
  • 11.132.0.29
  • 11.134.0.20
  • 11.136.0.5
  • WP Squared 136.1.7

The vulnerability is being exploited at scale, PoCs are public, and cPanel has shipped a patch in the current WHM release.

How to check whether you are exposed

  1. Identify your WHM version:
/usr/local/cpanel/cpanel -V

If the version is older than the currently patched WHM release, you are exposed. cPanel's automatic update channel should have applied the fix on systems that have not disabled auto-updates.

  1. Check for signs of compromise. cPanel released an updated detection script alongside the patch. Run it. The script looks for session files with user=root that do not match the audit trail of legitimate root logins, and for residual webshells in the document roots that the script knows the active campaigns drop.

  2. Inspect outbound traffic. Compromised cPanel servers in this campaign have been observed beaconing to command-and-control infrastructure. Egress logs from the period 15 April onwards are the place to look. The 44,000-IP figure from Shadowserver came from passive observation of those beacons, so if you have egress filtering or a network-level IDS, check whether your server is in that count.

How to patch

The cPanel update channel handles this. Force an immediate update rather than waiting for the next scheduled run:

/scripts/upcp --force

Verify the version after the upgrade:

/usr/local/cpanel/cpanel -V

If you manage WHM through a control panel that delays updates, override the schedule for this patch.

If you find indicators of compromise

Treat the host as compromised, not as merely vulnerable. The authentication bypass gives root, and attackers in this campaign have been observed installing persistence (cron entries, systemd services, modified /etc/passwd, SSH key additions to /root/.ssh/authorized_keys). Patching the WHM binary does not remove any of those.

The clean response is to reimage. If reimaging is not feasible on your timeline:

  • Audit /root/.ssh/authorized_keys and remove unknown keys
  • Check crontab -l for every user account, especially root, cpanel, nobody
  • Compare /etc/passwd against a known-good baseline
  • Inspect /usr/local/cpanel/logs/ for session files created by IPs you do not recognise
  • Rotate every credential, API key, and SSH key on the host
  • Re-issue TLS certificates if private keys were on the box

The compromised IPs in the Shadowserver data set were skewed toward shared-hosting providers, which means that on those hosts, the customer accounts hosted on the same server are also exposed to whatever persistence the attackers left behind. If you run a multi-tenant cPanel host, the impact radius extends to every tenant.

What does not help

Disabling WHM's web interface on port 2087 does not close the vulnerability if the API is still reachable. The same parser handles both. WAF rules that look for literal \r\n in the Authorization header may catch naive PoCs but will miss encoded variants. Geo-blocking helps statistically but the attacker pool is global.

The only reliable path is the patch.

Read the Hacker News coverage for the Shadowserver numbers and the broader campaign context, the Rapid7 advisory for the technical breakdown, and the cPanel security advisory for the canonical version list.