CVE-2026-41940
Published: 29 April 2026
Summary
CVE-2026-41940 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cpanel Cpanel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of software flaws such as this authentication bypass vulnerability in the cPanel/WHM login flow through application of vendor security patches.
Mandates unique identification and authentication of users before granting access to the system, comprehensively addressing authentication bypass risks in control panel login flows.
Enforces approved authorizations for logical access to information and system resources, preventing unauthorized control panel access enabled by the login flow bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-41940 is an authentication bypass in the cPanel/WHM web login flow, a public-facing application, enabling unauthenticated remote exploitation for unauthorized access.
NVD Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Deeper analysisAI
CVE-2026-41940 is an authentication bypass vulnerability (CWE-306) affecting cPanel and WHM versions after 11.40, specifically in the login flow. Published on 2026-04-29, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts on confidentiality, integrity, and availability. The flaw enables unauthenticated remote attackers to circumvent authentication and gain unauthorized access to the control panel.
Unauthenticated attackers with network access can exploit this vulnerability remotely, requiring low complexity and no privileges or user interaction. Exploitation allows attackers to bypass login mechanisms, obtaining full unauthorized access to the cPanel and WHM control panels, which manage web hosting environments and could lead to server compromise.
Advisories detail mitigations through security updates and patches. Relevant sources include the cPanel & WHM Security Update at https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026, cPanel release notes at https://docs.cpanel.net/release-notes/release-notes, WP Squared changelog at https://docs.wpsquared.com/changelogs/versions/changelog/#13617, Namecheap status update at https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026, and VulnCheck advisory at https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow. Security practitioners should apply vendor-recommended updates promptly.
Details
- CWE(s)
- KEV Date Added
- 30 April 2026