Originally published at https://monstadomains.com/blog/cpanel-authentication-bypass/
If your website runs on shared hosting, there is a good chance it sat exposed for months without your knowledge. CVE-2026-41940, the cPanel authentication bypass that hit approximately 1.5 million internet-facing servers, was actively exploited since at least February 23, 2026 – two full months before a patch became available. Rated CVSS 9.8, this is not a theoretical risk. Attackers used the cPanel authentication bypass to gain full root access to servers without entering a single valid credential. The web hosting infrastructure powering tens of millions of websites had a critical flaw baked in, and most site owners had no idea it was happening.
What the cPanel Authentication Bypass Actually Does
cPanel and its companion tool WebHost Manager (WHM) are the control panels used by most shared and managed hosting providers worldwide. They let site owners manage files, databases, DNS records, and email accounts from a single web interface. When attackers exploit the cPanel authentication bypass tracked as CVE-2026-41940, they do not need a username or password. They bypass the login screen entirely and gain full administrative access to the server.
The flaw behind the cPanel authentication bypass is a CRLF injection vulnerability in the login and session-loading processes. An attacker manipulates the whostmgrsession cookie by omitting an expected segment of its value, which skips the encryption step entirely. The system then writes a session file without sanitising the injected data, allowing the attacker to insert arbitrary properties such as user=root directly into the session. The result is root-level control of the server with no credentials required. Picus Security’s technical breakdown of the vulnerability explains in full detail how the session injection is constructed.
A Zero-Day Exploited for Two Months Before the Patch
The Exploitation Timeline
The patch for the cPanel authentication bypass was released on April 28, 2026. But confirmed exploitation traces back to February 23, 2026 – roughly 65 days earlier. The CEO of KnownHost, a managed hosting provider, publicly reported finding evidence of exploitation attempts dating back to February on approximately 30 of their thousands of servers. This means the cPanel authentication bypass was a live, working attack vector for more than two months before the vendor or the broader hosting industry acknowledged it existed.
That 65-day window is significant. Attackers with access via the cPanel authentication bypass had root-level control of affected servers with no audit trail pointing to them. Any data stored on those servers – customer files, databases, domain account credentials, payment records – was potentially accessible without triggering any alerts. By the time cPanel released the patch on April 28, the damage to unmonitored servers had already been done silently over a two-month window.
Who Caught the Bug First
The exploitation of the cPanel authentication bypass was detected and publicised by a hosting provider, not by cPanel itself. That is not unusual in the security industry, but it points to a structural reality of shared hosting environments. Hosting providers sit between the software vendor and the end user, and their security monitoring – or absence of it – determines how quickly a live threat surfaces and gets contained.
1.5 Million Servers Exposed Before Patching
A Shodan query conducted after the cPanel authentication bypass disclosure identified approximately 1.5 million cPanel instances exposed to the public internet in a vulnerable state. Each of those instances typically hosts not one website but dozens or hundreds of sites on shared infrastructure. The real-world blast radius extends well beyond the server count alone.
Government cybersecurity agencies moved quickly once the cPanel authentication bypass was public. Canada’s cybersecurity agency issued an advisory stating that exploitation was “highly probable” and called for immediate patching. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog – a designation reserved for confirmed real-world exploitation – and gave Federal Civilian Executive Branch agencies until May 3, 2026 to apply the fix. That is a five-day window from patch release, one of the tightest CISA has enforced in recent months.
The cPanel Authentication Bypass and Shared Hosting’s Blind Spot
The deeper issue exposed by the cPanel authentication bypass is what it says about the shared hosting model. When you host a website on a shared server, you do not control the underlying software stack. You cannot patch cPanel yourself. You cannot audit whether your hosting provider has applied the fix. You are entirely dependent on your provider’s internal security practices, and in most cases you have no visibility into what those practices actually look like in execution.
Namecheap responded to the cPanel authentication bypass by temporarily blocking customer access to cPanel while applying emergency patches. It was a defensible response, but it meant legitimate site owners could not access their own infrastructure during a critical window. HostGator internally classified CVE-2026-41940 as a “critical authentication-bypass exploit” and moved to patch quickly. But the speed of response varied widely across hundreds of hosting providers worldwide, meaning servers sat vulnerable for different lengths of time depending entirely on which host a customer happened to use.
This is the blind spot the cPanel authentication bypass exposed clearly. Your website’s security is not determined solely by the code you write or the passwords you choose. It is shaped by a dependency chain that includes your registrar, your DNS infrastructure, your hosting provider, and the software those providers run. For related context on how server-level issues interact with your domain setup, our coverage of recent SSL certificate changes for website owners in 2026 covers similar infrastructure risks.
CISA Added CVE-2026-41940 to the KEV Catalog – What That Means
CISA’s Known Exploited Vulnerabilities catalog is not a theoretical risk register. It is populated exclusively with vulnerabilities confirmed as actively exploited in the real world. When CISA adds an entry, it triggers mandatory remediation timelines for federal agencies and sends a clear public signal to private-sector organisations about severity. The cPanel authentication bypass earned its catalog entry based on confirmed exploitation evidence stretching back two months before the patch arrived.
The five-day federal patch deadline – from April 28 to May 3 – reflects how urgently CISA assessed the threat. For a vulnerability of this class, a five-day federal mandate is notably tight. It is an acknowledgment that the cPanel authentication bypass was not an emerging risk to prepare for but an active threat already operating in the environment, with an exploitation window running since February.
There is a broader signal here too. When a vendor publishes a security advisory, there is always room to question whether the severity rating is inflated to drive faster patch adoption. When CISA independently validates the threat, adds it to the KEV catalog, and issues a five-day federal mandate, the assessment carries external authority. The cPanel authentication bypass is a confirmed, government-validated active attack vector – not a theoretical worst-case scenario.
What Website Owners Should Do Now
If you manage your own VPS or dedicated server running cPanel, check your installed version immediately. The patched releases are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5, along with WP Squared version 136.1.7. If you are on an earlier version, update now. As a temporary mitigation before patching, cPanel recommends blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall level. That reduces your exposure to the cPanel authentication bypass but is not a substitute for patching.
If you are on shared or managed hosting, contact your provider and ask for written confirmation that the patch has been applied to the specific server your account sits on. Most providers should be patched by now, but “should be” and “confirmed” are not the same thing. Get it in writing. If your provider cannot give you patch confirmation within 24 hours, treat that as a signal about their security posture.
Beyond immediate patching, consider what happens to your domain if your hosting account is compromised. If your domain registration credentials or WHOIS data can be reached through a compromised hosting panel, a server breach can escalate into a domain hijacking. Keeping your domain registration separate from your hosting infrastructure – and using WHOIS privacy protection at the registrar level – limits the damage from any single point of failure. MonstaDomains keeps registration data isolated from hosting by design, with no dependency between the two. Also verify your SSL certificates are still valid and were not altered during any potential exposure window. For the full technical detail on CVE-2026-41940 and the exploitation timeline, Help Net Security’s analysis is thorough and well-sourced.
The Takeaway
The cPanel authentication bypass is a case study in how infrastructure dependencies can undermine security decisions you thought you had already made. A CVSS 9.8 vulnerability exploited for two months before patching, affecting 1.5 million exposed servers, is not a niche edge case. It is what happens when a single widely deployed piece of software sits in the critical path of tens of millions of websites and the patch cycle lags behind active exploitation.
Three things to take from this: check your cPanel version now and patch if needed, get written confirmation from your host if you are on shared infrastructure, and review whether a compromise of your hosting account could cascade to your domain or DNS. The cPanel authentication bypass showed that server access and domain control are not as compartmentalised as many site owners assume.
If you want your domain registration to stay isolated from your hosting stack entirely, MonstaDomains offers zero-KYC domain registration that keeps your identity and infrastructure separate from the start.
Top comments (0)