cPanel & WHM Authentication Bypass CVE-2026-41940: CVSS 9.8

Executive Summary

On April 28, 2026, cPanel issued a security update addressing a critical authentication bypass vulnerability in its cPanel & WHM and WP Squared products. Tracked as CVE-2026-41940, the flaw carries a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication mechanisms entirely, according to a Rapid7 analysis published April 29, 2026. The vulnerability affects all versions prior to the patch released on April 28. Given the widespread deployment of cPanel & WHM across shared hosting environments and managed service providers, the impact potential is substantial — an attacker gaining administrative access to a cPanel instance could compromise thousands of hosted websites, exfiltrate databases, and pivot to adjacent infrastructure.

Technical Analysis

Rapid7, which coordinated with cPanel on the disclosure, describes the root cause as "an issue with session loading and saving" in the authentication subsystem. The specific mechanism involves how cPanel & WHM and WP Squared handle session tokens during the authentication flow. An unauthenticated attacker can craft a malicious request that manipulates session state, effectively impersonating any authenticated user — including the root admin — without providing valid credentials.

The CVSS 9.8 score reflects the combination of network-based attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability is exploitable over the default HTTP/HTTPS management ports (typically 2082/2083 for cPanel, 2086/2087 for WHM). Rapid7 notes that the bug is present in both the cPanel & WHM control panel and the WP Squared WordPress management plugin, suggesting the session-handling code may be shared between the two products.

cPanel's release notes on April 28 described the fix as addressing "an issue with session loading and saving," but did not provide further technical detail at the time. Rapid7's subsequent analysis on April 29 confirmed the authentication bypass nature of the flaw and assigned the CVE identifier. The vulnerability was discovered internally by cPanel's security team, according to the advisory timeline.

Mitigations & Recommendations

Administrators should immediately apply the security update released by cPanel on April 28, 2026. Affected products include all versions of cPanel & WHM and WP Squared prior to the patch. No workarounds or mitigations short of patching have been identified by cPanel or Rapid7. Organizations should prioritize patching internet-facing cPanel and WHM interfaces, as these are the most exposed attack surface. For environments where immediate patching is not possible, restricting network access to cPanel/WHM management ports via firewall rules can reduce exposure, but this is not a substitute for applying the update. Rapid7 recommends monitoring authentication logs for anomalous session creation activity following the patch window.