Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
AnalysisAI
Arbitrary file read in cPanel & WHM's cpdavd service allows remote unauthenticated attackers to retrieve sensitive files from the server through attachment download endpoints that fail to properly filter paths and enforce privilege boundaries. The flaw affects multiple supported cPanel release tiers (11.120 through 11.136) and WP Squared 11.120.1.0-11.136.1.12, scoring CVSS 8.6 due to network reach without authentication, though EPSS exploitation probability is only 0.04% and no public exploit identified at time of analysis.
Technical ContextAI
cpdavd is cPanel's WebDAV/CalDAV/CardDAV daemon that handles attachment downloads as part of the mail and calendaring stack on cPanel & WHM servers. The root cause is CWE-250 (Execution with Unnecessary Privileges) combined with insufficient path filtering: the attachment download endpoints operate with broader filesystem privileges than required and fail to canonicalize or constrain user-supplied paths, enabling traversal-style reads of arbitrary files accessible to the daemon's effective user. Because cpdavd typically runs with elevated rights to service multi-tenant mailboxes, the privilege scope materially widens the set of files an attacker can disclose.
RemediationAI
Vendor-released patch is available: upgrade cPanel & WHM to 11.124.0.38, 11.126.0.59, 11.130.0.23, 11.132.0.32, 11.134.0.26, or 11.136.0.10 depending on your release tier, and upgrade WP Squared to 11.136.1.12, per the cPanel advisory at https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026. Because cpdavd uses automatic updates by default on supported tiers, verify the running version with /usr/local/cpanel/cpanel -V after patching. As a temporary compensating control until patched, restrict network access to the cpdavd service ports (typically 2079/2080 for DAV) at the host or perimeter firewall to trusted management networks only - note this will break legitimate remote WebDAV/CalDAV/CardDAV clients for mail and calendar attachments, and stopping cpdavd entirely will disable DAV-based mail attachment download and calendar/contact sync for end users.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30178
GHSA-cc7w-h7g4-gq6p