Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Published: 2026-04-29
Score: 9.3 Critical
EPSS: 91.2% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass flaw in the cPanel and WHM login flow allows an unauthenticated remote attacker to gain control of the management console. The vulnerability exploits improper authentication checks (CWE-306), enabling attackers to obtain privileged access without valid credentials, thereby threatening the confidentiality, integrity, and availability of the hosted services.

Affected Systems

The flaw applies to cPanel and WHM versions after 11.40. The CNA list also includes WP Squared, but the CVE narrative does not specify affected WP Squared releases, so administrators should consider all recent WP Squared versions potentially vulnerable. Because the version information is explicitly stated for cPanel and WHM, users should verify that they are running 11.40 or newer to assess risk.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. The EPSS score of 91% indicates an extremely high likelihood of exploitation, and the vulnerability is listed in the CISA KEV catalog, confirming that it has been actively exploited. The likely attack vector is the login flow (inferred), allowing an unauthenticated attacker to acquire an authenticated session without valid credentials. The KEV listing underscores the urgency, as vulnerable hosts remain at risk.

Generated by OpenCVE AI on May 27, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cPanel, WHM, and WP Squared to the latest patched release.
  • Restart affected web services to load the new authentication logic.
  • Restrict WHM access to trusted IP ranges or a VPN to reduce exposure.

Generated by OpenCVE AI on May 27, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Title cPanel and WHM Authentication Bypass via Login Flow WebPros cPanel and WHM Authentication Bypass via Login Flow

Thu, 30 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-04-30T00:00:00+00:00', 'dueDate': '2026-05-03T00:00:00+00:00'}

Thu, 30 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Wed, 29 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Cpanel
Cpanel cpanel
Cpanel whm
Cpanel wp Squared
CPEs cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*
cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:*:*:*
Vendors & Products Cpanel
Cpanel cpanel
Cpanel whm
Cpanel wp Squared

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Title cPanel and WHM Authentication Bypass via Login Flow
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cpanel Cpanel Whm Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T15:48:18.270Z

Reserved: 2026-04-22T18:50:43.621Z

Link: CVE-2026-41940

cve-icon Vulnrichment

Updated: 2026-05-04T16:13:16.841Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:25.037

Modified: 2026-05-04T18:09:42.300

Link: CVE-2026-41940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T14:45:35Z

Weaknesses