On April 28, 2026, cPanel patched a critical authentication bypass vulnerability affecting cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940. The issue stems from a flaw in the login and session handling process that allows Carriage Return Line Feed (CRLF) injection, enabling remote threat actors to bypass authentication and gain unauthorized access to the control panel.
cPanel and WHM are widely used Linux-based web hosting control panels that manage services and websites across more than 70 million domains. cPanel serves as the user-facing interface, while WHM provides administrative control.
Open-source reporting indicates that exploitation of CVE-2026-41940 may have been occurring as early as late February. Due to the availability of a proof-of-concept exploit, the broad attack surface, and the level of access it can provide, threat actors are likely to continue targeting this vulnerability in the near future.
Recommendation for CVE-2026-41940
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. Applying the patches requires running manual commands; refer to cPanel’s update article for detailed instructions. cPanel also provided a workaround for users who are unable to apply the patch.
| Product | Affected Version | Fixed Version |
| cPanel & WHM | · Versions prior to 11.86.0.41
· Versions prior to 11.110.0.97 · Versions prior to 11.118.0.63 · Versions prior to 11.126.0.54 · Versions prior to 11.130.0.19 · Versions prior to 11.132.0.29 · Versions prior to 11.136.0.5 · Versions prior to 11.134.0.20 |
· 11.86.0.41
· 11.110.0.97 · 11.118.0.63 · 11.126.0.54 · 11.130.0.19 · 11.132.0.29 · 11.136.0.5 · 11.134.0.20 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
