CVE-2026-41940 rating 9.8 - cPanel and WHM versions after 11.40 authentication bypass vulnerability

Posted by DominusDraco@reddit | sysadmin | View on Reddit | 9 comments

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Time to get patching.

https://nvd.nist.gov/vuln/detail/CVE-2026-41940

https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

[-]

Crysadis@reddit

Netfronts is down. All sites down for undetermined time as they patch this!

[-]

Impressive_Tale_6314@reddit

Do you have a source on this?

[-]

Crysadis@reddit

Email from Netfronts after emailing to inquire as to why my many websites were down.

[-]

Byyp@reddit

Fun times! I'm sure price increases will still go out though /s

[-]

fhriscranklin@reddit

Patched our server, but the CPanel version number hasn't budged. Looks like we haven't been compromised but no way of knowing that it's actually applied the fix?

[-]

alabamaroots@reddit

Does anybody know if GoDaddy has patched their hosted servers yet?

[-]

Binestar@reddit

I just checked our godaddy hosted sites and their cpanel is patched to 134.0.20

[-]

brokenPipe_@reddit

I also think 134.0.20 is the patched version, and my panel autoupdated, because I went to force update, nothing changed, and seems like the exploit is not working.

[-]

alabamaroots@reddit

Does anybody know if GoDaddy has patched their hosted servers yet? I have been online with their support most of the morning and they are pretty useless....