cPanel has published an urgent security advisory for CVE-2026-41940, an authentication-bypass flaw affecting cPanel & WHM, including DNSOnly, on versions after 11.40. As of April 30, 2026, cPanel’s advisory includes patched builds, immediate remediation steps, temporary mitigations, and an indicators-of-compromise detection script. NVD currently lists the vulnerability as critical, with a CVSS v3.1 base score of 9.8 and a CVSS v4 score of 9.3, according to the CNA entry on the NVD record.
Why this update cannot wait
This is not a routine maintenance update. cPanel’s official guidance is to update affected servers immediately, and the vendor refined the article twice on April 28, then again on April 29 and April 30, adding required actions and a detection script. That combination alone is a strong signal that administrators should treat this as emergency patching, not as deferred maintenance.
The risk is straightforward: the issue is an authentication bypass in the login flow. According to the official advisory, it affects cPanel software, including DNSOnly, on versions 11.40 and later. NVD’s description is similarly direct, stating that unauthenticated remote attackers may gain unauthorized access to the control panel.
Bacloud offers reliable and high-performance dedicated and VPS servers perfectly optimized for cPanel & WHM. Get your hosting environment ready in minutes — secure, fast, and supported by our expert team.
Bacloud Infrastructure Status
All Bacloud-managed servers have already been updated to the latest patched cPanel & WHM versions. No action is required from our managed hosting customers — your infrastructure is already protected.
This advisory is primarily relevant to customers who:
- manage their own servers
- use self-managed dedicated or VPS environments
- are responsible for their own cPanel updates
If you are running a self-managed server with cPanel, we strongly recommend applying the update immediately to ensure your system remains secure.
Which versions are safe right now
cPanel says the patched cPanel & WHM builds are 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5. If your server is not on one of those builds, treat it as needing immediate attention.
If you use WP Squared, cPanel’s advisory points to version 136.1.7 as the patched release, and the official WP2 changelog for 136.1.7, released on April 28, 2026, records a cPanel-related fix described as “Fixed issue with login authentication” under case CPANEL-52908.
cPanel also warns that systems not running eligible supported versions may still be affected and should be moved toward a supported version as soon as possible. In other words, if you are outside the published patch lanes, the safe assumption is not that you are exempt, but that you need containment and an immediate upgrade plan.
What administrators should do right now
cPanel’s recommended response is short and specific: force the update, verify the installed cPanel build, and restart the cpsrvd service. The same advisory also warns that servers with disabled updates or pinned update preferences will not auto-update and must be remediated manually as a priority.
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd
For infrastructure teams, that means the first pass is operationally simple: patch, confirm the version, restart the relevant service, and then move immediately into verification. The biggest hidden risk is not the update process itself, but the servers that were intentionally pinned, excluded from standard update behavior, or left on older branches. cPanel explicitly calls those out as manual-priority systems.
What to do if you cannot patch immediately
cPanel provides two temporary containment options for cases where you cannot complete the update right away. The first is to block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall. The second is to stop the cpsrvd and cpdavd services. That guidance makes the vendor’s position clear: if you cannot patch now, reduce exposure now.
For older or non-eligible versions, cPanel says it is still working on paths to deliver patches, especially for versions with larger installed bases. Until then, the official recommendation is to follow the mitigation steps and work toward a supported patched release as quickly as possible. That is the right message for any customer-facing hosting environment as well: temporary containment is acceptable only while you are actively moving to a supported fixed build.
Do not stop at patching
One of the most important details in cPanel’s updated advisory is the addition of a vendor-supplied detection script for indicators of compromise. The script checks session files in /var/cpanel/sessions and looks for suspicious artifacts tied to the issue, including token and session anomalies that cPanel says can indicate both successful and failed exploitation attempts.
That means patching alone is not enough for exposed systems. If a server was internet-facing before the fix was applied, administrators should also review whether the flaw may have been abused. cPanel’s own incident-response guidance is clear: if indicators of compromise are found, purge affected sessions, force password resets for root and all WHM users, audit /var/log/wtmp and WHM access logs, and check for persistence mechanisms such as cron entries, SSH keys, or backdoors.
The message to publish today
If you run cPanel on any internet-exposed server, the right posture on April 30, 2026, is urgent. CVE-2026-41940 is an authentication-bypass issue with a critical severity rating on the NVD record, and cPanel’s own advisory advises updating immediately, verifying the installed build, and applying mitigations without delay when patching cannot happen at once.
The practical takeaway for hosting providers, resellers, MSPs, and infrastructure teams is simple: do not wait for the next maintenance cycle. Patch to cPanel’s published fixed builds now, verify the version, restart cpsrvd, and review exposed systems for compromise indicators. This is the kind of security update that belongs at the top of the queue until every affected server is either patched or isolated.