Key Points
A new critical vulnerability, CVE-2026-41940, has been disclosed in cPanel & WHM, allowing unauthenticated attackers to gain root access on the underlying server and from there, trivial remote code execution (RCE). With over a million cPanel instances exposed to the internet, the affected population is enormous.
What is CVE-2026-41940?
CVE-2026-41940 is a pre-authentication flaw that lets an attacker escalate directly to root on the cPanel host, without the need for credentials. From root, full RCE on the system is trivial, meaning every site, database, and credential on the server is in the attacker's hands.
The exploit is reliable, well documented, and affects every version of cPanel and WHM prior to the patch released on April 28, 2026.
cPanel is one of the most widely deployed web hosting control panels in the world.
By design, its management interface is reachable from the internet, that's how administrators, resellers, and customers use it day to day. For many cPanel deployments, internet exposure is hard to avoid, especially when used by hosting providers on behalf of customers - its core use-case. That said, where it doesn’t need to be exposed, it should be removed.
A patch with a catch
cPanel ships with automated update functionality, which on default deployments will eventually pull in the fix. But there are two important caveats defenders need to be aware of:
- Auto-update can be disabled: Hosting providers and administrators often turn it off to control their own change windows.
- Auto-update isn't instant: Even with auto-update enabled, the patch window can stretch to 24 hours. That's more than enough time for opportunistic attackers to reach exposed hosts before the fix lands.
For shared hosting providers, the blast radius is particularly severe. A single compromised cPanel instance can mean hundreds or thousands of customer sites in the attacker's hands.
Why CVE-2026-41940 matters now
The combination of factors here is unusually bad. Pre-auth, root-level impact, an enormous internet-exposed footprint, and a reliable, well-documented exploit, all on a product that most organizations can't simply remove from the internet.
Given the size of the exposed population and how straightforward the exploitation path is, mass scanning and opportunistic compromise are an inevitability rather than a possibility.
But cPanel is one product, and this is one CVE. The same pattern will play out with something else next month. The organizations best placed to handle it are the ones that already know what they have on the internet, and have kept exposure to what genuinely needs to be there.
What should you do?
- Patch immediately: Update to the latest cPanel & WHM release via cPanel's security advisory. Don't wait for the auto-update window to come around.
- Verify auto-updates are on: If you've turned them off, now is a good moment to make sure there’s a good reason.
- Check for compromise: The advisory includes a detection script to identify hosts that have already been hit. Given the reliability of the exploit, run it regardless of patch status. If your panel was reachable from the internet at any point before patching, it's worth confirming.
- Treat exposed data as suspect: If your cPanel instance was internet-facing and unpatched, treat any credentials, API keys, or customer data on that host as potentially compromised until you've established otherwise.
- Check what’s exposed: Intruder flags 1,000+ pieces of software like cPanel that don't need to be public. Get them off the internet so you're not scrambling when the next CVE drops.
Intruder continuously monitors what your organization has exposed to the internet and keeps you ahead of emerging threats. Book an intro call or start a free trial today.