Federal cybersecurity officials added a critical cPanel authentication bypass vulnerability to the government's Known Exploited Vulnerabilities catalog Thursday, warning that attackers are actively exploiting the flaw to gain unauthorized access to web hosting control panels, according to CyberScoop.
The vulnerability, tracked as CVE-2026-41940, affects all supported versions of cPanel and WebHost Manager released after version 11.40, as well as WP Squared, a WordPress-specific hosting management panel built on the cPanel platform. Security firm Rapid7 identified approximately 1.5 million cPanel instances exposed online through Shodan internet scans, though the precise number of vulnerable systems remains unknown.
cPanel released a patch Tuesday, but hosting provider KnownHost reported that successful exploits had already occurred in the wild before the fix became available. The Cybersecurity and Infrastructure Security Agency's inclusion of the CVE in its federal threat catalog signals that exploitation is confirmed and widespread enough to warrant mandatory patching for government agencies.
How the Authentication Bypass Works
Cybersecurity firm watchTowr published technical details Wednesday showing the flaw stems from improper input handling during the login process. cPanel writes data from login requests into server-side session files before verifying user identity, the analysis found.
Attackers exploit this by embedding hidden line breaks into the password field of a login request. cPanel fails to strip out these characters, allowing arbitrary data to be injected directly into the session file. Through a secondary malformed request, the injected data gets promoted into the session's active cache, where cPanel reads it as legitimate. The system then treats the session as already authenticated and skips password verification entirely, granting access without checking actual credentials.
The vulnerability carries a 9.8 rating on the CVSS severity scale. Agencies managing WordPress hosting infrastructure or reselling hosting services to clients face direct exposure if their hosting providers run vulnerable cPanel versions.
Detection Scripts and Provider Response
cPanel published a detection script designed to scan session files for indicators of compromise, including sessions containing injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. watchTowr separately released a "Detection Artifact Generator" that administrators can use to verify whether their instances remain vulnerable.
Namecheap, a major domain registrar and hosting provider, took the step of temporarily blocking connections to cPanel and WHM ports 2083 and 2087 ahead of patch availability. The company began applying patches after cPanel's release earlier this week.
The patched releases address the issue across seven version branches, from 11.110.0 through 11.136.0, as well as WP Squared version 11.136.1. cPanel's advisory notes that the fix ensures potentially dangerous input is scrubbed automatically within the core session-saving process, rather than depending on each individual part of the codebase to handle sanitization separately. The patch also adds handling for cases where a per-session encryption key is missing, a condition the original code failed to account for and that attackers exploited to bypass password encoding entirely.
Why This Matters Now
Agencies that manage client WordPress sites on shared hosting platforms or maintain their own hosting infrastructure must verify immediately that their hosting providers have applied the cPanel patch. The window between patch release and widespread exploitation is typically measured in days, not weeks, and federal threat catalog inclusion indicates attackers are already scanning for vulnerable instances at scale.
For agencies running white-label hosting operations or reselling hosting services, this vulnerability represents a client trust issue beyond the technical threat. A single compromised cPanel instance can expose every client site on that server to unauthorized access, data exfiltration, and malware injection. Agencies should confirm patch status with hosting providers by name and request written confirmation of patching completion before May 9, the federal compliance deadline CISA typically enforces for KEV-listed vulnerabilities.
The technical details watchTowr published make exploitation straightforward for attackers with basic scripting skills. Agencies that cannot confirm their hosting provider has patched within 48 hours should consider migrating critical client sites to verified-patched infrastructure or implementing temporary IP-based access controls to cPanel interfaces until patch confirmation arrives. This is not a vulnerability agencies can afford to "wait and see" on—active exploitation confirmed by multiple hosting providers means the threat is already operational, and delayed response expands the attack surface with each passing hour.