Skip to main content

cPanel & WHM EUVDEUVD-2026-26246

| CVE-2026-41940 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-29 VulnCheck
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Added to CISA KEV
May 04, 2026 - 18:09 cisa
CISA KEV
PoC Detected
May 04, 2026 - 18:09 vuln.today
Public exploit code
Started Trending
Apr 30, 2026 - 18:00 vuln.today
12.0
Added to CISA KEV
Apr 30, 2026 - 17:02 CISA
CVSS changed
Apr 29, 2026 - 16:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
EUVD ID Assigned
Apr 29, 2026 - 15:30 euvd
EUVD-2026-26246
Patch released
Apr 29, 2026 - 15:30 nvd
Patch available
CVE Published
Apr 29, 2026 - 15:10 nvd
CRITICAL 9.3

DescriptionCVE.org

cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

AnalysisAI

Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites.

Technical ContextAI

cPanel & WHM is a widely deployed Linux-based web hosting control panel that provides administrators and resellers with a web UI (cPanel for end users, WHM for hosting administrators) to manage domains, email, databases, DNS, and server configuration. The root cause is CWE-306 (Missing Authentication for Critical Function), meaning the login flow fails to properly enforce authentication on a code path that should require valid credentials. WP Squared, cPanel's managed WordPress offering, shares the same vulnerable code path. Because cPanel/WHM typically runs with high privileges on shared hosting servers and exposes its management interfaces on TCP ports 2082-2087, an authentication bypass effectively grants attackers administrative control of the hosting stack.

RemediationAI

Apply the vendor-released patch immediately by upgrading to one of the fixed versions appropriate to your release train: cPanel & WHM 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, and WP Squared 11.136.1.7. Most cPanel installations are configured for automatic updates via upcp, so verify that auto-update is enabled and that the host has actually picked up the patched build (check /var/cpanel/version and the cPanel Tweak Settings update tier). Until patched, restrict network access to the cPanel/WHM management ports (2082, 2083, 2086, 2087, and the Webmail ports 2095/2096) to known administrator IPs via firewall or a reverse proxy ACL - this breaks remote login for anyone outside the allowlist, so coordinate with resellers and customer support before deploying. After patching, audit authentication logs (/usr/local/cpanel/logs/access_log, login_log) and reseller activity for signs of prior compromise given the confirmed in-the-wild exploitation, and rotate WHM root, reseller, and cPanel user credentials plus API tokens.

Share

EUVD-2026-26246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy