Skip to content
.ca
sign in
6 mincritical

The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)

cPanel and WHM are vulnerable to a critical authentication bypass (CVE-2026-41940) that allows unauthenticated attackers to gain root-level access. The flaw stems from a CRLF injection vulnerability in session file handling, enabling attackers to forge session attributes and bypass password validation mechanisms by manipulating the whostmgrsession cookie and Basic Authentication headers.

Sens:ImmediateConf:highAnalyzed:2026-05-05Google

Authors: Sina Kheirkhah

WHMCRLF InjectionInitial AccessAuthentication BypassCVE-2026-41940Vulnerability DisclosurecPanel

Source:Watchtowr

Detection / HunterGoogle

What Happened

A critical security flaw has been discovered in cPanel and WHM, a popular control panel used to manage millions of websites. This vulnerability allows attackers to bypass the login screen and gain full administrative (root) control over the server without needing a password. The issue is actively being exploited by hackers in the real world. Anyone using cPanel and WHM needs to update their software to the latest patched versions immediately to protect their websites and data.

Key Takeaways

  • CVE-2026-41940 is a critical authentication bypass vulnerability affecting all currently supported versions of cPanel & WHM.
  • The vulnerability is actively being exploited in the wild, with reports indicating exploitation for at least 30 days.
  • Attackers can achieve root-level access by injecting CRLF characters into the session file via Basic Authentication.
  • The exploit chain involves minting a preauth session, injecting malicious session keys, and forcing a session cache rebuild to bypass password validation.
  • Administrators must immediately upgrade to the patched versions (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5).

Affected Systems

  • cPanel & WHM 110.0.x (prior to 11.110.0.97)
  • cPanel & WHM 118.0.x (prior to 11.118.0.63)
  • cPanel & WHM 126.0.x (prior to 11.126.0.54)
  • cPanel & WHM 132.0.x (prior to 11.132.0.29)
  • cPanel & WHM 134.0.x (prior to 11.134.0.20)
  • cPanel & WHM 136.0.x (prior to 11.136.0.5)

Vulnerabilities (CVEs)

  • CVE-2026-41940

Attack Chain

The attacker first sends a failed login request to /login/?login_only=1 to mint a pre-authentication session on the server. Next, they send an HTTP Basic Authentication request containing a base64-encoded payload with CRLF characters, while simultaneously providing the minted session cookie stripped of its obfuscation key. This forces the server to write the unencoded payload directly to the raw session file, injecting top-level keys like hasroot=1 and successful_internal_auth_with_timestamp. Finally, the attacker requests an endpoint without a valid security token to trigger do_token_denied, which forces the server to parse the raw session file and update the JSON cache, fully authenticating the attacker as root.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: watchTowr Labs GitHub

The article mentions a Detection Artifact Generator released on the watchTowr Labs GitHub repository to help defenders identify vulnerable hosts, but does not provide specific detection rules in the text.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can monitor file writes to the cPanel sessions directories, but the malicious activity occurs within the context of the legitimate cpsrvd process, making behavioral differentiation difficult without deep inspection of the file contents. Network Visibility: High — The attack relies on specific, malformed HTTP requests, including Basic Authentication headers with embedded CRLF characters and manipulated whostmgrsession cookies missing the obfuscation key. Detection Difficulty: Moderate — Detecting the attack requires inspecting HTTP headers (specifically Authorization and Cookie) for anomalies like CRLF injection and missing cookie segments, which may not be logged by default in standard web server access logs.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • cPanel access logs
  • HTTP traffic captures

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for HTTP requests to cPanel/WHM ports (typically 2087) where the whostmgrsession cookie is present but lacks the comma and subsequent 32-character hex string.WAF logs or HTTP traffic capturesCredential AccessLow
Search for file modifications in /var/cpanel/sessions/raw/ where the file content contains unexpected newline characters within the pass= parameter.File Integrity Monitoring (FIM) or EDR file write eventsDefense EvasionLow
Identify sequences where a failed login to /login/?login_only=1 is immediately followed by a request to an administrative endpoint resulting in a 401 Token Denied, followed by successful access.Web server access logsInitial AccessMedium

Control Gaps

  • Standard web access logs do not capture the contents of the Authorization header or the exact structure of the Cookie header.
  • Lack of input validation on the Basic Authentication password field before writing to disk allowed CRLF injection.

Key Behavioral Indicators

  • whostmgrsession cookie without a comma
  • HTTP Basic Auth headers containing encoded CRLF (%0D%0A or \r\n)
  • Requests triggering do_token_denied immediately after session creation

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Upgrade cPanel & WHM to the latest patched versions (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5) immediately.
  • Restrict access to WHM (port 2087) to trusted IP addresses only via firewall rules.

Infrastructure Hardening

  • Implement a Web Application Firewall (WAF) to inspect and block HTTP requests containing CRLF characters in Authorization headers.
  • Ensure management interfaces are not exposed to the public internet.

User Protection

  • Enforce Multi-Factor Authentication (MFA) for all WHM accounts, though note this specific vulnerability bypasses it if successfully exploited.

Security Awareness

  • Educate administrators on the critical nature of control panel updates and the risks of exposing management interfaces to the internet.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1556 - Modify Authentication Process
  • T1078.001 - Valid Accounts: Default Accounts

Additional IOCs

  • Urls:
    • /login/?login_only=1 - Endpoint used to mint a pre-authentication session required for the exploit chain.
    • /scripts2/listaccts - Example endpoint requested without a valid cp_security_token to trigger do_token_denied and force a session cache rebuild.
  • File Paths:
    • /var/cpanel/sessions/raw/ - Directory where raw, line-oriented session files are stored and targeted for CRLF injection.
    • /var/cpanel/sessions/cache/ - Directory where JSON-serialized session caches are stored, which the attacker forces to rebuild with injected keys.

Related