cPanel Security Alert 2026: Critical Zero-Day Vulnerability

CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel/WHM actively exploited in the wild. Over 100,000 servers are at risk.

What Happened?

On April 30, 2026, security researchers discovered attackers exploiting a zero-day vulnerability in cPanel/WHM that allows unauthenticated remote code execution. The vulnerability affects:

• cPanel & WHM versions 11.110 through 11.118
• All hosting providers using vulnerable versions
• Estimated 100,000+ servers worldwide

Impact

Attackers can:

• Bypass authentication completely
• Execute arbitrary code as root
• Install backdoors and malware
• Steal customer data and credentials
• Pivot to other servers on the network

Immediate Actions Required

1. Update cPanel/WHM Immediately

Run: /scripts/upcp --force

This updates to version 11.119+ which patches CVE-2026-41940.

2. Check for Compromise

Look for suspicious activity:

• Unexpected root logins in /var/log/secure
• New user accounts in WHM
• Modified system files
• Unusual outbound network traffic

3. Enable Two-Factor Authentication

WHM → Security Center → Two-Factor Authentication

4. Restrict WHM Access by IP

WHM → Security Center → cPHulk Brute Force Protection

Alternative Control Panels

If you're concerned about cPanel security, consider these alternatives:

1. Plesk

Pros: Modern UI, better security track record, Windows support

Cons: More expensive than cPanel

Price: $10-15/mo

2. DirectAdmin

Pros: Lightweight, affordable, good security

Cons: Less feature-rich than cPanel

Price: $5/mo

3. CyberPanel

Pros: Free, open-source, LiteSpeed integration

Cons: Smaller community, fewer plugins

Price: Free

FAQ

How do I know if I'm affected?

Check your cPanel version: WHM → Server Information. If it's 11.110-11.118, you're vulnerable.

Is there a workaround if I can't update immediately?

Restrict WHM access to specific IPs via firewall rules. This reduces attack surface but doesn't eliminate the vulnerability.

Should I switch away from cPanel?

cPanel remains widely used and generally secure. This zero-day is serious but not unprecedented. Keep your system updated and follow security best practices.

Will my hosting provider patch this automatically?

Most managed hosting providers will patch automatically. Contact your provider to confirm.

Can I check if my server was compromised?

Run: grep "authentication bypass" /var/log/messages and check for suspicious root logins in /var/log/secure.

Last updated: May 2, 2026 by Sarah Chen