Description
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Published: 2026-04-29
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass flaw in the cPanel and WHM login flow allows an unauthenticated remote attacker to gain control of the management console. The vulnerability exploits improper authentication checks (CWE-306), enabling attackers to obtain privileged access without valid credentials, thereby threatening confidentiality, integrity, and availability of the hosted services.

Affected Systems

The flaw applies to cPanel, L.L.C. installations with versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. All affected releases of the cPanel & WHM product from cPanel, L.L.C. and WP Squared are vulnerable if they have not been updated to at least the specified version thresholds.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and while EPSS data is unavailable, the lack of a KEV listing does not diminish the risk because the vulnerability remains exploitable through the public network. Based on the description, it is inferred that attackers can trigger the login flow over HTTP/HTTPS and obtain an authenticated session, representing a high likelihood of exploitation if the server is exposed.

Generated by OpenCVE AI on April 29, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cPanel and WHM to the latest patched release (at least 11.110.0.97 or newer for each affected product line).
  • Restart affected web services after applying the update to ensure the new authentication logic is loaded.
  • Conduct a post‑deployment verification to confirm that login attempts require valid credentials and that session tokens are correctly issued.

Generated by OpenCVE AI on April 29, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Wed, 29 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Cpanel
Cpanel cpanel
Cpanel whm
Cpanel wp Squared
CPEs cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*
cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*
cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:*:*:*
Vendors & Products Cpanel
Cpanel cpanel
Cpanel whm
Cpanel wp Squared

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Title cPanel and WHM Authentication Bypass via Login Flow
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cpanel Cpanel Whm Wp Squared
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T03:56:04.992Z

Reserved: 2026-04-22T18:50:43.621Z

Link: CVE-2026-41940

cve-icon Vulnrichment

Updated: 2026-04-29T15:34:02.425Z

cve-icon NVD

Status : Received

Published: 2026-04-29T16:16:25.037

Modified: 2026-04-30T01:16:02.837

Link: CVE-2026-41940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:21:02Z

Weaknesses