Cybersecurity researchers at watchTowr Labs have reported a critical security vulnerability in cPanel and WHM (Web Host Manager) a software suite used to manage over 70 million websites globally. For your information, WHM is used for server-wide administration and cPanel is for individual website owners, and this vulnerability , tracked as CVE-2026-41940, allows hackers to bypass the suite’s login screens entirely to gain root access.
The risk is unmistakable given that CVE-2026-41940 has a CVSS score of 9.8 and affects all cPanel versions, even EoL (End-of-Life). And, this isn’t a theoretical threat because several hosting providers like KnownHost found this flaw being exploited as 0-day since late February 2026.
That means servers got compromised two months before an urgent patch was released by cPanel developer WebPros International L.L.C. on 28 April 2026..
Breaking the login system
This issue is basically a Missing Authentication for Critical Function error found in a service called cpsrvd (the cPanel service daemon) that handles logins. So, when a user needs to log in, the server makes a file at /var/cpanel/sessions/raw/ for tracking the request.
According to watchTowr Labs research, a hacker can manipulate the whostmgrsession cookie by removing a specific segment of its value, and avoid the server’s encryption process applied to user’s data. The hacker must break the line of data to insert a new one, by sending a specific Authorization: Basic header with ‘new line’ characters (\r\n).
And, since the system didn’t use its filter_sessiondata tool (a security feature that cleans user input) at the right time, those new lines get written into the session files. This is called CRLF Injection (Carriage Return Line Feed).
Now, that’s a dangerous situation because through this a hacker can write their own data into the server’s records. For example, by adding a line like hasroot=1, they can convince the system that they are already logged in as the administrator.
Forcing the fake login
Getting the server to actually trust this fake data required one more step, researchers explained. cPanel usually loads sessions from a fast cache (a temporary storage area for quick access) and ignores the raw files.
So, to bypass this, researchers found they could target specific parts of the software without using a security token. This essentially triggers a function called do_token_denied that forces the server to run the Modify::new and Modify::save commands. Now, this makes the server read the corrupted file and save it into the main cache, and when that happens, the hacker gets full root access without needing a password.
“According to cPanel, this vulnerability affects – and we cannot stress this enough – all currently supported versions of cPanel & WHM. Not some, or a few, or a specific release track,” researchers noted.
Update Details
If you manage a server, check your software version immediately. The fix is included in these updates:
- 110.0.x: 11.110.0.97
- 118.0.x: 11.118.0.63
- 126.0.x: 11.126.0.54
- 132.0.x: 11.132.0.29
- 134.0.x: 11.134.0.20
- 136.0.x: 11.136.0.5
The watchTowr team also released a Detection Artifact Generator on GitHub for users’ ease available here. Remember, since hackers have been active for weeks, just updating the software might not be enough, so, you must check your logs for signs of unauthorised access.
