On April 28, 2026, cPanel pushed an emergency security update for what it described as a vulnerability affecting "various authentication paths" across all currently supported versions of cPanel and WHM (Web Host Manager — the server-level admin interface that controls virtually everything on a shared hosting server).
The advisory was clinical and brief. What it didn't say was that attackers were already inside.
The vulnerability, now tracked as CVE-2026-41940, is a CRLF injection flaw (a technique in which an attacker inserts hidden line breaks to manipulate file-based records) in cPanel's session-handling code. The root cause: a sanitization function called filter_sessiondata existed but was never called inside saveSession itself — every caller was expected to invoke it manually, and one critical code path in the core server daemon cpsrvd simply didn't.
KnownHost confirmed the exploitation window wasn't hours — it was at least 30 days. The vulnerability had been used as a zero-day against the management layer of a significant portion of the internet long before cPanel acknowledged a problem existed.
WatchTowr's researchers demonstrated the full attack chain. An attacker first triggers a failed login to mint a pre-authentication session, then sends a crafted HTTP Basic Authorization header — with the password field stuffed with \r\n-separated fake session records — while stripping the session cookie's encryption key. Those injected records land in the on-disk session file raw.
A second request, deliberately sent without a security token, forces cPanel to re-read the raw file and flush the injected data into the JSON cache. From that point, every subsequent request sees those forged values as legitimate session keys — including hasroot=1 and successful_internal_auth_with_timestamp, a flag that instructs cPanel to skip password validation entirely and return AUTH_OK unconditionally.
No password. No brute force. Full root-level access to WHM.
A web hosting and domain registration company, Namecheap, disclosed that it "relates to an authentication login exploit that could allow unauthorised access to the control panel."
Hosting providers, including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion Hosting, all blocked cPanel ports at the network level while waiting for the patch. cPanel released a fix roughly 2–3 hours after the public advisory, with full deployment across major providers taking 6–7 hours.
The numbers make the stakes clear. With over 70 million domains relying on cPanel, the flaw dramatically expanded the attack surface, potentially enabling mass website defacement, data exfiltration, and server compromise across the hosting supply chain.
But the timeline raises harder questions. An industry source told webhosting.today that the vulnerability had been reported to cPanel approximately two weeks before the April 28 public advisory, and that cPanel's initial response was that nothing was wrong.
Hosting.com's incident communications described the issue as having been "responsibly disclosed to cPanel," confirming that private disclosure preceded the public advisory. The gap between "we told them" and "patch available" is the window during which active exploitation occurred. Webhosting
What you need to do right now:
If you manage a cPanel server, run /scripts/upcp --force as root to force the update, then verify your version with /usr/local/cpanel/cpanel -V. Patched builds are: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 11.136.1.7.
Servers running unsupported or end-of-life versions will not receive patches and should be treated as actively compromised until proven otherwise. Enable two-factor authentication on WHM, restrict access to trusted IPs only, and audit your login logs for any suspicious access during the April 28 window before port blocks went into effect.
*The article has been updated after the WatchTowr post.