Skip to main content

cPanel CVE-2026-32991

| EUVDEUVD-2026-30205 HIGH
Incorrect Authorization (CWE-863)
2026-05-13 hackerone GHSA-cg6m-ghv2-fh4r
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:42 vuln.today
Patch available
May 14, 2026 - 02:01 EUVD
CVE Published
May 13, 2026 - 22:07 nvd
HIGH 7.1

DescriptionCVE.org

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

AnalysisAI

Privilege escalation in cPanel and WP Squared allows an authenticated team member account to elevate privileges to the team owner, granting full control over the hosting account. The flaw stems from improper authorization checks within the team-member privilege model and carries a CVSS 7.1 (high integrity impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Team Manager sub-account credentials
Delivery
Authenticate to cPanel/WP2 web interface
Exploit
Send crafted request to team-privilege endpoint
Execution
Bypass owner-vs-member authorization check
Persist
Inherit team owner privileges
Impact
Access or modify all account data and team members

Vulnerability AssessmentAI

Exploitation The attacker must already hold valid credentials for a cPanel/WP Squared Team Manager sub-user account on the target server (PR:L), so the deployment must have the Team Manager feature in use with at least one delegated team-member account - single-owner cPanel accounts with no team members are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) indicates a network-reachable, low-complexity attack requiring only low-level authenticated access and no user interaction, with high integrity impact - consistent with a privilege-escalation primitive rather than a remote takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A reseller, contractor, or junior staffer who has been granted a low-privilege Team Manager sub-account in cPanel sends a crafted authenticated request to a team-privilege endpoint that fails to validate that the caller is not attempting to act as the team owner. The authorization check evaluates the wrong subject, the request succeeds, and the team member gains owner-equivalent control of the hosting account - enabling them to read all hosted site data, modify other team members, or deploy malicious content. …
Remediation Apply the vendor-released patch for your release tier as published in the cPanel May 13, 2026 security update (https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026): upgrade to cPanel 11.136.0.10, 11.134.0.26, 11.132.0.32, 11.130.0.23, 11.126.0.59, 11.124.0.38, 11.118.0.67, 11.110.0.119 (or 11.110.0.118 for the CloudLinux 6 / CentOS 6 build), or WP Squared 11.136.1.12 - most cPanel installations on the STABLE/RELEASE tiers will pick this up via the normal upcp auto-update process. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all cPanel and WP Squared systems and prioritize critical production instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy