Overview

A critical authentication bypass vulnerability (CVE-2026-41940) has been identified in cPanel & WHM software, including DNSOnly installations. This vulnerability affects all versions after 11.40 and allows an attacker to bypass authentication without valid credentials, potentially gaining full server access.

cPanel has released patched versions and a detection script. Immediate action is required on all affected servers.

1. Affected Versions

This vulnerability affects all cPanel & WHM versions after 11.40 that have not yet been patched. If your server is running any version between 11.40 and the patched versions listed below, it is vulnerable.

2. Patched Versions

cPanel has released patches for the following versions:

  • 11.86.0.41
  • 11.110.0.97
  • 11.118.0.63
  • 11.124.0.35
  • 11.126.0.54
  • 11.130.0.19
  • 11.132.0.29
  • 11.134.0.20
  • 11.136.0.5

A patch for WP Squared has also been released: 136.1.7

For servers on CentOS 6 or CloudLinux 6 using v110.0.50, version 110.0.103 is available as a direct update. Run the following to set the tier first:

whmapi1 set_tier tier=11.110.0.103

3. Required Actions

Step 1 – Update cPanel immediately

Run the forced update script to upgrade to the latest patched version:

/scripts/upcp --force

Step 2 – Verify the build version and restart cpsrvd

After updating, confirm the installed version and perform a hard restart of the cPanel service:

/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --hard

Step 3 – Servers with disabled or pinned updates

If cPanel updates have been disabled or pinned to a specific version, the server will not auto-update. These servers must be updated manually as a priority.

If running CentOS 7 or CloudLinux 7, set the version tier to 11.110:

whmapi1 set_tier tier=11.110

Step 4 – If you cannot update immediately (Mitigations)

If an immediate update is not possible, apply one of the following mitigations:

  • Option A: Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall.
  • Option B: Stop cpsrvd and cpdavd services entirely:
    whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 && whmapi1 configureservice service=cpdavd enabled=0 monitored=0 && /scripts/restartsrv_cpsrvd --stop && /scripts/restartsrv_cpdavd --stop

Warning: If your server is not running a supported version eligible for this update, it is highly recommended to update as soon as possible, as it may also be affected.

4. Is Your Server Already Compromised? Run the Detection Script

cPanel provides an Indicator of Compromise (IOC) detection script that scans cPanel session files for signs of exploitation. This script is a read-only scanner by default — it does not clean or modify anything unless you specifically run it with the --purge flag.

What the script checks for:

  • Injected authentication tokens in session files
  • Malformed session data (newline injection footprints)
  • Suspicious login origins (e.g. badpass combined with auth markers)
  • Sessions with tfa_verified=1 from illegitimate origins
  • Pre-auth sessions that also carry authentication success timestamps

Step 1 – Save the detection script

Copy the full script from the official cPanel advisory and save it to your server as:

ioc_checksessions_files.sh

Step 2 – Run a read-only scan first

This is safe — it only reads and reports, no files are deleted:

/bin/bash ./ioc_checksessions_files.sh

For more detail on each finding, use verbose mode:

/bin/bash ./ioc_checksessions_files.sh --verbose

Step 3 – Understand the output

The script will produce a summary like this:

=================================================================
 SCAN SUMMARY
=================================================================
 CRITICAL findings: 1
 WARNING  findings: 0
 ATTEMPT  findings: 1
 INFO     findings: 0
 Total  : 2
-----------------------------------------------------------------
=================================================================
 SESSION: /var/cpanel/sessions/raw/:TMnjH0tBK6jP2V3I
=================================================================
 Findings:
 [CRITICAL] Exploitation artifact - token_denied with injected cp_security_token (badpass origin, token used)

[!] INDICATORS OF COMPROMISE DETECTED - IMMEDIATE ACTION REQUIRED
 1. Purge all affected sessions
 2. Force password reset for root and all WHM users
 3. Audit /var/log/wtmp and WHM access logs for unauthorized access
 4. Check for persistence mechanisms (cron, SSH keys, backdoors)

Understanding severity levels:

  • CRITICAL – Active exploitation confirmed. Immediate action required.
  • WARNING – Suspicious session with anomalous origin. Investigate further.
  • ATTEMPT – Failed exploit attempt detected. Server was probed but not confirmed compromised.
  • INFO – Possible injected session but no usage observed. Monitor closely.

What does ATTEMPT mean?

If you see only [ATTEMPT] findings such as:

[ATTEMPT] Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line): /var/cpanel/sessions/raw/:c_srR6KrlbnVYRWH

This means the exploit was attempted but did not succeed. No authentication markers were found in the session. However, you should still update cPanel immediately and purge the flagged sessions.

5. Purging Compromised Sessions

Once you have reviewed the scan output and are ready to remove the flagged session files, run the script with the --purge --yes flags:

/bin/bash ./ioc_checksessions_files.sh --purge --yes

What --purge does:

  • Deletes flagged session files from /var/cpanel/sessions/raw/
  • Deletes corresponding preauth marker files

What --purge does NOT do:

  • Does not remove malware, backdoors, or cron jobs
  • Does not patch the vulnerability
  • Does not clean viruses or fix root compromise

Side effect: Running --purge will log out all users whose sessions are deleted, including active WHM/cPanel users.

6. Script Exit Codes (for Monitoring / Cron)

  • Exit 0 – Clean scan, no indicators found
  • Exit 1 – Only ATTEMPT or INFO findings (probing detected, no confirmed compromise)
  • Exit 2 – CRITICAL or WARNING findings detected (compromise indicators present)

7. If the Server is Confirmed Root-Compromised

If the scan returns CRITICAL findings indicating successful exploitation, the server should be treated as fully compromised. Recommended steps:

  1. Migrate all cPanel accounts to a known-clean server immediately.
  2. Audit /var/log/wtmp and WHM access logs for unauthorized access.
  3. Check for persistence mechanisms: cron jobs, rogue SSH keys, web shells, and backdoors.
  4. Force a password reset for root and all WHM users.
  5. Consider a full OS reinstall and restore accounts from a clean backup.

8. How to Check Your Current cPanel Version

To confirm what version is running on your server:

/usr/local/cpanel/cpanel -V

Example output confirming a patched build:

134.0 (build 20)

Check the patched versions list in Section 2 to confirm your build is protected.

9. Summary Checklist

  • [ ] Run /scripts/upcp --force to update cPanel
  • [ ] Verify version with /usr/local/cpanel/cpanel -V
  • [ ] Restart cpsrvd with /scripts/restartsrv_cpsrvd --hard
  • [ ] Download and run ioc_checksessions_files.sh (read-only scan)
  • [ ] Review all CRITICAL and WARNING findings
  • [ ] Run with --purge --yes to remove compromised sessions if found
  • [ ] If CRITICAL: audit server for persistence, reset passwords, consider migration
  • [ ] If on CentOS 6/CL6: set tier to 11.110.0.103 before updating
  • [ ] If on CentOS 7/CL7 pinned: set tier to 11.110 before updating

Reference: cPanel Official Advisory – CVE-2026-41940

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Reset Root Password on Vultr AlmaLinux Virtual Server (SystemRescue)

Overview If you have lost the root password on your Vultr AlmaLinux virtual server, you can...
How to Enable SSH Root Login on Ubuntu Linux

Overview By default, Ubuntu disables direct SSH login as root for security reasons. In most...