Exploited in the Wild: PoC Released for cPanel CVE-2026-41940 Authentication Bypass Zero-Day

cPanel, the industry-standard control panel that powers the graphical interfaces of millions of websites, has issued an urgent security update affecting all currently supported versions of its software. The disclosure centers on a vulnerability within “various authentication paths,” a critical area of the software that manages how users and administrators gain access to their hosting environments.

While cPanel is primarily used to manage individual hosting accounts, its integration with WebHost Manager (WHM) means that a compromise of these authentication paths could potentially lead to broader administrative control over entire servers.

The core of the issue lies in the way cPanel handles authentication. Because cPanel operates on a three-tier structure—allowing website owners to manage files, databases, and emails through a standard web browser—any flaw in the authentication logic represents a significant risk to data integrity and server security.

Specific details regarding the nature of the “security issue” are being kept close to the vest to prevent exploitation while the global fleet of servers begins the patching process. However, the company has confirmed the vulnerability impacts the software’s foundational access mechanisms.

In response to the discovery, cPanel L.L.C. has pushed out emergency patches across its release tiers. Administrators are urged to verify their current versioning and run a forced update to ensure the security fix is applied immediately.

The following versions (and higher) contain the necessary resolution:

• 11.136.0.5
• 11.134.0.20
• 11.132.0.29
• 11.126.0.54
• 11.118.0.63
• 11.110.0.97

To retrieve and apply the patched version, server administrators should execute the following command via the terminal:
/scripts/upcp –force.

For those running older, end-of-life versions of cPanel, the company issued a warning: “If your server is not running a supported version of cPanel that is eligible for this update, it is highly recommended that you work toward updating your server as soon as possible, as it may also be affected.”

Legacy systems often lack the architectural safeguards present in modern releases, making them even more susceptible to flaws in authentication logic.

Update:

This flaw now is tracked as CVE-2026-41940 (CVSS 9.8). KnownHost has confirmed that active, in-the-wild exploitation is ongoing and revealed that this vulnerability was weaponized as a zero-day exploit. The attack targeted the management plane of a substantial portion of the internet infrastructure.

Security researcher from watchTowr published the technical details and a proof-of-concept (PoC) exploit code for this flaw.