CVE-2026-41940
Published: 29 April 2026
Summary
CVE-2026-41940 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cpanel Cpanel. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow, tracked as CVE-2026-41940 and assigned CWE-306. The flaw affects the control panel's authentication mechanism and carries a CVSS 4.0 score of 9.3, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit the weakness to obtain unauthorized access to the cPanel or WHM interface, bypassing normal login controls and potentially taking over hosting accounts or server management functions.
Official advisories from cPanel, including the April 28 2026 security update and associated release notes and changelogs, direct administrators to apply the latest patched versions. Third-party notices from providers such as Namecheap and Vulncheck reinforce the need for immediate updates to close the login-flow bypass.
The EPSS score stands at 0.9121 with an identical peak, indicating sustained high exploitation probability since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26246
Vulnerability details
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
- CWE(s)
- KEV Date Added
- 30 April 2026
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-41940 is an authentication bypass in the cPanel/WHM web login flow, a public-facing application, enabling unauthenticated remote exploitation for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements in the login flow to block the described bypass of access controls.
Mandates identification and authentication of users prior to granting access to the cPanel/WHM interface, directly closing the unauthenticated entry point.
Requires prompt application of vendor patches that remediate the authentication flaw in versions after 11.40.