Critical Cpanel Security Flaw Allows Hackers to Bypass Login and Gain Root Access

Vaibhav May 1, 2026
www.news4hackers.com-critical-cpanel-security-flaw-allows-hackers-to-bypass-login-and-gain-root-access-critical-cpanel-security-flaw-allows-hackers-to-bypass-login-and-gain-root-access
Post Views: 5

Cpanel Software Suite Vulnerability Allows Unauthenticated Access to Servers

Cybersecurity researchers at Watchtowr Labs have discovered a critical vulnerability in the cPanel and WHM (Web Host Manager) software suite used by millions of website administrators worldwide.

“The vulnerability, identified as CVE-2026-41940, enables hackers to bypass the login mechanism and gain unfettered access to sensitive server data without authentication.” — Watchtowr Researchers

The vulnerability exists within the cpsrvd service daemon, which is responsible for handling logins. By manipulating the whostmgrsession cookie, hackers can inject malicious data into the server’s session files, allowing them to create a fake login scenario. Subsequently, the server trusts this fabricated data, granting the attacker unrestricted access to the server’s resources.

Exploitation Timeline and Severity

Watchtowr researchers revealed that hackers began exploiting the vulnerability as early as late February 2026, prior to the release of the urgent patch by cPanel developer WebPros International L.L.C. on April 28, 2026. This prolonged period of exploitation emphasizes the severity of the issue.

Technical Details of the Exploit

  • Researchers demonstrated how hackers can exploit the vulnerability by injecting a specific Authorization: Basic header containing newline characters.
  • The absence of the filter_sessiondata tool, which cleans user input, allows these malicious lines to be written into the session files, leading to a CRLF injection vulnerability.
  • To achieve full access, hackers need to force the server to load the corrupted session files from the fast cache, triggering the do_token_denied function. This ultimately leads to the modification and saving of the corrupted file in the main cache, granting the attacker root access.

Affected Versions and Recommended Action

Server administrators should update their software to the latest patched versions:

  • cPanel 110.0.x: version 11.110.0.97
  • cPanel 118.0.x: version 11.118.0.63
  • cPanel 126.0.x: version 11.126.0.54
  • cPanel 132.0.x: version 11.132.0.29
  • cPanel 134.0.x: version 11.134.0.20
  • cPanel 136.0.x: version 11.136.0.5

The watchtowr team has released a Detection Artifact Generator on GitHub to aid users in identifying potential unauthorized access attempts. As hackers had been actively exploiting the vulnerability for weeks prior to the patch release, merely updating the software may not suffice; server administrators must review their logs for signs of unauthorized access.


Blog Image

About Author

Vaibhav

See author's posts

More Stories

www.news4hackers.com-minnesota-ransomware-attack-leaks-sensitive-information-cybersecurity-concerns-rise-minnesota-ransomware-attack-leaks-sensitive-information-cybersecurity-concerns-rise

Minnesota Ransomware Attack Leaks Sensitive Information, Cybersecurity Concerns Rise

Vaibhav May 1, 2026
www.news4hackers.com-online-child-exploitation-networks-a-threat-to-innocence-online-child-exploitation-networks-a-threat-to-innocence

Online Child Exploitation Networks: A Threat to Innocence

Vaibhav April 29, 2026
www.news4hackers.com-firefox-tor-browser-vulnerabilities-exposed-hidden-identifiers-revealed-firefox-tor-browser-vulnerabilities-exposed-hidden-identifiers-revealed

firefox tor browser vulnerabilities exposed – hidden identifiers revealed

Vaibhav April 27, 2026

Latest Cyber Security News

www.news4hackers.com-microsoft-now-allows-admins-to-select-pre-installed-windows-store-apps-for-removal-microsoft-now-allows-admins-to-select-pre-installed-windows-store-apps-for-removal

Microsoft Now Allows Admins to Select Pre-Installed Windows Store Apps for Removal

Vaibhav May 1, 2026
www.news4hackers.com-microsoft-resolves-issues-with-incorrect-remote-desktop-connection-warnings-microsoft-resolves-issues-with-incorrect-remote-desktop-connection-warnings

Microsoft Resolves Issues with Incorrect Remote Desktop Connection Warnings

Vaibhav May 1, 2026
www.news4hackers.com-enhancing-threat-intelligence-with-ai-powered-security-solutions--enhancing-threat-intelligence-with-ai-powered-security-solutions-

Enhancing Threat Intelligence with AI-Powered Security Solutions”,

Vaibhav May 1, 2026
www.news4hackers.com-critical-cpanel-security-flaw-allows-hackers-to-bypass-login-and-gain-root-access-critical-cpanel-security-flaw-allows-hackers-to-bypass-login-and-gain-root-access

Critical Cpanel Security Flaw Allows Hackers to Bypass Login and Gain Root Access

Vaibhav May 1, 2026
www.news4hackers.com-enhanced-threat-intelligence-with-criminal-ip-and-securonix-threatq-partnership-enhanced-threat-intelligence-with-criminal-ip-and-securonix-threatq-partnership

Enhanced Threat Intelligence with Criminal IP and Securonix ThreatQ Partnership

Vaibhav May 1, 2026
en_USEnglish
en_USEnglish