CVE-2026-41940 | THREATINT

Description

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

PUBLISHED Reserved 2026-04-22 | Published 2026-04-29 | Updated 2026-04-30 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

11.110.0 (semver) before 11.110.0.97

affected

11.118.0 (semver) before 11.118.0.63

affected

11.126.0 (semver) before 11.126.0.54

affected

11.132.0 (semver) before 11.132.0.29

affected

11.134.0 (semver) before 11.134.0.20

affected

11.136.0 (semver) before 11.136.0.5

affected

11.86.0 (semver) before 11.86.0.41

affected

11.130.0 (semver) before 11.130.0.18

affected

Default status

unaffected

11.136.1 (semver) before 11.136.1.7

affected

Default status

affected

11.110.0 (semver) before 11.110.0.97

affected

11.118.0 (semver) before 11.118.0.63

affected

11.126.0 (semver) before 11.126.0.54

affected

11.132.0 (semver) before 11.132.0.29

affected

11.134.0 (semver) before 11.134.0.20

affected

11.136.0 (semver) before 11.136.0.5

affected

11.86.0 (semver) before 11.86.0.41

affected

11.130.0 (semver) before 11.130.0.18

affected

References

github.com/...s/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py exploit

support.cpanel.net/...-cPanel-WHM-Security-Update-04-28-2026 vendor-advisory patch

docs.cpanel.net/release-notes/release-notes release-notes

docs.wpsquared.com/changelogs/versions/changelog/ release-notes

www.namecheap.com/...y-vulnerability-in-cpanel-april-28-2026 third-party-advisory

www.vulncheck.com/...hm-authentication-bypass-via-login-flow third-party-advisory

cve.org (CVE-2026-41940)

nvd.nist.gov (CVE-2026-41940)

Download JSON