A critical authentication bypass vulnerability has been identified in cPanel and WHM, allowing attackers to gain unauthorized access to hosting control panels. The flaw, tracked as CVE-2026-41940, affects a widely used hosting management platform.
Security researchers at Watchtowr Labs have disclosed CVE-2026-41940, an authentication bypass vulnerability in cPanel and WHM (Web Host Manager). The flaw enables attackers to circumvent login mechanisms and access administrative functions without valid credentials.
CPanel and WHM are industry-standard control panels used by hosting providers and website administrators to manage servers, domains, and hosting accounts. The authentication bypass represents a significant security risk given the platform's widespread adoption and the sensitive nature of the data it protects.
■ Technical Details
The vulnerability allows attackers to bypass authentication checks through a flaw in the platform's request validation logic. Full technical analysis is available in the Watchtowr Labs report, which details the attack vector and proof-of-concept demonstrations.
■ Impact
Successful exploitation could grant attackers:
- Access to hosting control panels
- Ability to modify server configurations
- Control over hosted domains and accounts
- Potential lateral movement across infrastructure
The vulnerability affects multiple versions of cPanel and WHM, making it broadly relevant across the hosting industry.
■ Response
CPanel has been notified of the vulnerability. Users are advised to:
- Monitor official cPanel security announcements for patches
- Implement network-level access controls to WHM interfaces
- Review access logs for suspicious authentication attempts
- Consider restricting WHM access to known IP addresses
The disclosure has garnered significant attention in the security community, with 38 comments on Hacker News discussing implications and remediation strategies.
Hosting providers should prioritize patching systems once updates become available. The vulnerability's authentication-bypass nature makes it particularly critical, as it undermines fundamental security controls.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.