Skip to main content

cPanel WHM CVE-2026-32992

| EUVDEUVD-2026-30180 HIGH
Improper Certificate Validation (CWE-295)
2026-05-13 support@hackerone.com GHSA-3ph8-8g7q-2432
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:57 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD

DescriptionCVE.org

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.

AnalysisAI

Credential interception in cPanel/WHM and WP Squared DNS Cluster system allows network-positioned attackers to perform man-in-the-middle attacks because SSL/TLS certificate verification is disabled when DNS Cluster nodes communicate. An attacker able to intercept traffic between cluster peers can impersonate a legitimate DNS Cluster server and capture authentication credentials transmitted during the request. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%), but SSVC marks the flaw as automatable with partial technical impact.

Technical ContextAI

The flaw is rooted in CWE-295 (Improper Certificate Validation): the DNS Cluster subsystem in cPanel/WHM and WP Squared establishes TLS connections between cluster nodes but does not validate the peer certificate against a trust anchor or check hostname binding. cPanel's DNS Clustering allows multiple WHM servers to share DNS zone data over an authenticated API, and credentials for that API are passed to the remote node during synchronization. Without certificate validation, the TLS channel provides encryption but no authentication of the remote endpoint, so any attacker who can redirect or intercept the connection (e.g., via ARP/BGP/DNS spoofing or a rogue upstream) can terminate the TLS session and harvest the cluster credentials in plaintext.

RemediationAI

Vendor-released patches are available - upgrade cPanel/WHM to 11.126.0.59, 11.130.0.23, 11.132.0.32, 11.134.0.26, or 11.136.0.10 (whichever matches your release tier), and upgrade WP Squared to 11.136.1.12, per the cPanel Security Advisory at https://support.cpanel.net/hc/en-us/articles/40437241987607-Security-CVE-2026-32992-cPanel-WHM-WP2-Security-Update-May-13-2026. Until patching is complete, restrict DNS Cluster traffic (TCP/2087 WHM API) to a dedicated management VLAN or VPN between trusted cluster peers and rotate any cluster API credentials that may have been exposed to untrusted paths; do not expose cluster endpoints to the public internet. As a defensive measure, audit DNS Cluster member lists and remove any unrecognized nodes, and after upgrading rotate cluster access hashes so previously captured credentials become invalid - note that aggressive network segmentation may break legitimate cross-datacenter clustering and credential rotation requires re-authorizing each peer.

Share

CVE-2026-32992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy