CVE-2026-41940

CVE-2026-41940 is an authentication bypass vulnerability (CWE-306) affecting cPanel and WHM versions after 11.40, specifically in the login flow. Published on 2026-04-29, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts on confidentiality, integrity, and availability. The flaw enables unauthenticated remote attackers to circumvent authentication and gain unauthorized access to the control panel.

Unauthenticated attackers with network access can exploit this vulnerability remotely, requiring low complexity and no privileges or user interaction. Exploitation allows attackers to bypass login mechanisms, obtaining full unauthorized access to the cPanel and WHM control panels, which manage web hosting environments and could lead to server compromise.

Advisories detail mitigations through security updates and patches. Relevant sources include the cPanel & WHM Security Update at https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026, cPanel release notes at https://docs.cpanel.net/release-notes/release-notes, WP Squared changelog at https://docs.wpsquared.com/changelogs/versions/changelog/#13617, Namecheap status update at https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026, and VulnCheck advisory at https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow. Security practitioners should apply vendor-recommended updates promptly.