cPanel and WHM are vulnerable to a critical authentication bypass (CVE-2026-41940) that allows unauthenticated attackers to gain root-level access. The flaw stems from a CRLF injection vulnerability in session file handling, enabling attackers to forge session attributes and bypass password validation mechanisms by manipulating the whostmgrsession cookie and Basic Authentication headers.