External risk intelligence

cPanel and WHM Unauthorized Access Vulnerability.

CVE advisoryKnown Exploit

CVE-2026-41940

An authentication bypass vulnerability in cPanel and WHM allows unauthenticated attackers to gain unauthorized access. This presents a significant business risk by potentially exposing sensitive system configurations and data. Organizations using affected versions should prioritize immediate action to identify and secu

5Halo Surface Signal

Missing Authentication

Cpanel

11.40 to before 86.0.4188.0.0 to before 110.0.97112.0.0 to before 118.0.63120.0.0 to before 124.0.35126.0.1 to before 126.0.54128.0.0 to before 130.0.19132.0.0 to before 132.0.29134.0...

External exposure likelihood

Halo Surface Signal score for CVE-2026-41940

cPanel and WHM are server management and web hosting control panel interfaces designed to be accessed via the public internet for administrative purposes. These platforms function as web-based gateways and are inherently exposed to external network traffic in standard deployment scenarios.

PCI scan relevance

PCI Relevance for CVE-2026-41940

Yes

CVE-2026-41940 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI relevant as it allows unauthenticated remote attackers to bypass login controls and gain unauthorized access to the control panel, which is an automatic fail class for ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

cPanel and WHM are susceptible to an authentication bypass flaw within their login process. This vulnerability allows remote attackers to access the control panel without proper authentication. The potential impact includes unauthorized system access.

  • Vulnerable control panel login
  • Bypasses authentication controls
  • Unauthorized access to systems

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can bypass authentication to gain unauthorized access to the control panel. This vulnerability impacts the integrity and confidentiality of systems and data managed by the affected control panels. The attacker can then leverage this access to perform further malicious actions.

  • Exposure condition: Publicly accessible login flow.
  • Attacker starting point: Network.
  • Trigger and result: Bypass authentication, gain control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in cPanel and WHM's login process allows attackers to bypass authentication and gain unauthorized access to the control panel. Exploitation could lead to significant compromise of hosted environments and sensitive data. The critical nature and confirmed exploitation by ransomware indicate a high-priority threat.

  • Attackers likely possess moderate skills.
  • No access or conditions are required for exploitation.
  • Business risk is critical; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An authentication bypass vulnerability in cPanel and WHM allows unauthenticated attackers to gain unauthorized access to the control panel. This critical issue presents a significant business risk by potentially exposing sensitive system configurations and data. Organizations using affected versions should prioritize immediate action to identify and secure their environments.

  • Identify all exposed cPanel and WHM assets.
  • Reduce exposure by restricting network access.
  • Apply vendor updates, validate, and monitor.

Frequently asked questions

What is the software context for CVE-2026-41940?

CVE-2026-41940 affects cPanel and WHM versions after 11.40, as well as WP Squared versions prior to 136.1.7. These are control panel software used for managing web hosting environments.

How is the vulnerability in CVE-2026-41940 described?

This vulnerability is an authentication bypass flaw in the login flow. It allows unauthenticated remote attackers to gain unauthorized access to the control panel, indicating a weakness in access control mechanisms.

What is the trigger path and scope for this vulnerability?

The vulnerability is triggered through the login flow, allowing unauthenticated remote attackers to bypass authentication. The scope is the control panel itself, granting unauthorized access.

What is the relevance of CVE-2026-41940, particularly regarding threat advisories?

This vulnerability is relevant due to its classification as 'external' by Halo, meaning it is accessible via the network. It has been identified as a critical threat and is listed on the Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation and a high likelihood of impact. The Halo Surface Signal indicates it is 'Very likely' exploitable due to the nature of cPanel and WHM being internet-facing.

What practical steps should be taken to respond to this vulnerability?

Organizations should immediately identify all exposed cPanel and WHM assets, and reduce exposure by restricting network access. Applying vendor-provided updates and then validating and monitoring the systems are crucial steps to mitigate the risk.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified