CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM that enables unauthenticated attackers to gain administrative access by exploiting special characters in authorization headers to write and reload session files with injected credentials. This zero-day vulnerability was exploited in the wild since at least February 2026, leading to widespread compromise of over 40,000 servers globally, predominantly in the US, France, and the Netherlands. The vulnerability affects all cPanel versions after 11.40. Patches have been released in several versions including 11.86.0.41 and later. The US CISA has included this vulnerability in its KEV catalog, recommending patching within four days. The Shadowserver Foundation and other threat intelligence entities have observed significant exploitation activity, which has recently declined following public disclosure and patch availability.

Successful exploitation of CVE-2026-41940 grants unauthenticated attackers administrative access to cPanel & WHM servers, allowing full control over host systems, configurations, databases, and hosted websites. This leads to complete system compromise, data breaches, and potential further malicious activity on affected servers. Over 40,000 servers have been compromised, indicating widespread impact. The vulnerability was actively exploited as a zero-day prior to patch release, increasing risk to unpatched systems.

A patch addressing CVE-2026-41940 is available in multiple cPanel & WHM versions including 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, as well as WP Squared version 136.1.7. Users should update to these patched versions immediately. cPanel provides instructions for identifying and remediating potential compromises, which should be followed. The US CISA recommends patching within four days. No vendor advisory indicates that no action is required; therefore, prompt patching and compromise assessment are essential.