Skip to main content

cPanel & WHM CVE-2026-29205

| EUVDEUVD-2026-30178 HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-05-13 support@hackerone.com GHSA-cc7w-h7g4-gq6p
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:57 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD

DescriptionCVE.org

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

AnalysisAI

Arbitrary file read in cPanel & WHM's cpdavd service allows remote unauthenticated attackers to retrieve sensitive files from the server through attachment download endpoints that fail to properly filter paths and enforce privilege boundaries. The flaw affects multiple supported cPanel release tiers (11.120 through 11.136) and WP Squared 11.120.1.0-11.136.1.12, scoring CVSS 8.6 due to network reach without authentication, though EPSS exploitation probability is only 0.04% and no public exploit identified at time of analysis.

Technical ContextAI

cpdavd is cPanel's WebDAV/CalDAV/CardDAV daemon that handles attachment downloads as part of the mail and calendaring stack on cPanel & WHM servers. The root cause is CWE-250 (Execution with Unnecessary Privileges) combined with insufficient path filtering: the attachment download endpoints operate with broader filesystem privileges than required and fail to canonicalize or constrain user-supplied paths, enabling traversal-style reads of arbitrary files accessible to the daemon's effective user. Because cpdavd typically runs with elevated rights to service multi-tenant mailboxes, the privilege scope materially widens the set of files an attacker can disclose.

RemediationAI

Vendor-released patch is available: upgrade cPanel & WHM to 11.124.0.38, 11.126.0.59, 11.130.0.23, 11.132.0.32, 11.134.0.26, or 11.136.0.10 depending on your release tier, and upgrade WP Squared to 11.136.1.12, per the cPanel advisory at https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026. Because cpdavd uses automatic updates by default on supported tiers, verify the running version with /usr/local/cpanel/cpanel -V after patching. As a temporary compensating control until patched, restrict network access to the cpdavd service ports (typically 2079/2080 for DAV) at the host or perimeter firewall to trusted management networks only - note this will break legitimate remote WebDAV/CalDAV/CardDAV clients for mail and calendar attachments, and stopping cpdavd entirely will disable DAV-based mail attachment download and calendar/contact sync for end users.

Share

CVE-2026-29205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy