SECURITY ALERT: Critical Authentication Bypass in cPanel & WHM (CVE-2026-41940)

Product / Version includes:

Deep Security 20.0 , TrendAI Vision One™ All

Last updated: 2026/04/30

Solution ID: KA-0023294

Category:

Summary

CVE-2026-41940 (CVSS 3.1: 9.8) is a critical pre-authentication vulnerability in cPanel & WHM - the world's most widely deployed web hosting platform - that allows an unauthenticated remote attacker to gain root-level access to the WHM (Web Host Manager) administrative interface without valid credentials.

Zero-day exploitation was confirmed before the patch was even available.

The vulnerability exploits two weaknesses in combination:

CRLF Injection: CRLF Injection in Basic Auth password processing — allowing an attacker to inject arbitrary session key-value pairs into the server-side session store.
Race Condition: Session file dual-storage race condition — cPanel stores session data in both a raw text file and a JSON cache. The attacker-injected data persists through this race window and is trusted by the authentication layer.

Potential Impact

Successful exploitation grants an unauthenticated attacker the highest level of server access. Potential consequences include:

Complete takeover of the WHM administrative interface with root privileges
Access to all hosted cPanel accounts on the affected server
Theft, modification, or deletion of hosted websites, email and databases
Deployment of webshells, malware or ransomware
Lateral movement to other systems on the same network
Data exfiltration including credentials, PII and business critical information

Given that cPanel is estimated to power over 70 million domains globally, the potential scope of impact is exceptionally broad.

Affected Systems and Remediation

The following are affected by CVE-2026-41940:

All currently supported versions of cPanel & WHM after 11.40 (cPanel security advisory)
Servers with WHM port 2087 or cPanel port 2083 exposed are at the highest risk

Affected users are strongly advised to review the relevant cPanel security advisory and apply the vendor supplied patches as soon as possible to mitigate risk.

TrendAI Protection and Detection Against Exploitation

In addition to the vendor supplied patches and remediation, TrendAI has released several critical information pieces and protections against exploitation.

TrendAI Vision One

Threat Intelligence Hub

TrendAI has added information into the Vision One Threat Intelligence Hub that provides relevant background information including Tactics, Techniques and Procedures (TTPs), Risk Management Guidance, and Threat Hunting Queries.

Cyber Risk Overview

A Time-Critical Vulnerability entry for this threat has been added in the Vision One Cyber Risk Overview section.

Detection Rules and Filters

TrendAI XDR for Cloud (for exploitation activities)

AWS Security Logging and Monitoring Evidence Removal

TrendAI XDR for Endpoints

cPanel Session File Creation in Raw Session Directory
Suspicious cPanel Session File Creation by External Process

TrendAI Vision One Endpoint Security IPS Rules (including Server and Workload Security (SWP) and Deep Security)

Rule 1012556

TrendAI Vision One Network Security Digital Vaccine (DV) Filters (including TippingPoint)

DV Filter 47364

TrendAI Deep Discovery Inspector (DDI)

Rule 5792 (NCIE/NCCP)

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: Critical Authentication Bypass in cPanel & WHM (CVE-2026-41940)

Potential Impact

Affected Systems and Remediation

TrendAI Protection and Detection Against Exploitation

SECURITY ALERT: Critical Authentication Bypass in cPanel & WHM (CVE-2026-41940)

Product / Version includes:

Summary

Potential Impact

Affected Systems and Remediation

TrendAI Protection and Detection Against Exploitation