Cyber Resilience

CVE-2026-41940

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 29 April 2026

Published
29 April 2026
Modified
04 May 2026
KEV Added
30 April 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9810 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-41940 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cpanel Cpanel. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow, tracked as CVE-2026-41940 and assigned CWE-306. The flaw affects the control panel's authentication mechanism and carries a CVSS 4.0 score of 9.3, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit the weakness to obtain unauthorized access to the cPanel or WHM interface, bypassing normal login controls and potentially taking over hosting accounts or server management functions.

Official advisories from cPanel, including the April 28 2026 security update and associated release notes and changelogs, direct administrators to apply the latest patched versions. Third-party notices from providers such as Namecheap and Vulncheck reinforce the need for immediate updates to close the login-flow bypass.

The EPSS score stands at 0.9121 with an identical peak, indicating sustained high exploitation probability since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

CWE(s)
KEV Date Added
30 April 2026

Related Threats

Threat-Actor AttributionAI

Sorry
Mass-exploited in Sorry ransomware attacks (BleepingComputer, CISA KEV ransomware-use noted)

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-41940 is an authentication bypass in the cPanel/WHM web login flow, a public-facing application, enabling unauthenticated remote exploitation for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61757Shared CWE-306both on KEV
CVE-2026-24423Shared CWE-306both on KEV
CVE-2026-39987Shared CWE-306both on KEV
CVE-2025-0108Shared CWE-306both on KEV
CVE-2025-66429Same product: Cpanel Cpanel
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306

Affected Assets

cpanel
cpanel
11.40 — 86.0.41 · 88.0.0 — 110.0.97 · 112.0.0 — 118.0.63
cpanel
whm
11.40 — 86.0.41 · 88.0.0 — 110.0.97 · 112.0.0 — 118.0.63
cpanel
wp squared
≤ 136.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements in the login flow to block the described bypass of access controls.

prevent

Mandates identification and authentication of users prior to granting access to the cPanel/WHM interface, directly closing the unauthenticated entry point.

prevent

Requires prompt application of vendor patches that remediate the authentication flaw in versions after 11.40.

References