Security researchers at watchTowr Labs have identified a critical authentication bypass vulnerability, tracked as CVE-2026-41940, affecting all currently supported versions of cPanel and WHM. The flaw allows unauthorized access to the management plane of hosting infrastructure used by an estimated 70 million domains.
KnownHost has confirmed that in-the-wild exploitation of this zero-day vulnerability is already occurring. The vulnerability resides in the session loading and saving mechanisms of the control panel, which provides root-level access to servers, SSL certificates, and security protocols.
According to labs.watchtowr.com, the vulnerability allows attackers to bypass authentication by manipulating session data. The researchers analyzed recent patches to the software and identified three modified files: Cpanel/Session.pm, Cpanel/Session/Load.pm, and Cpanel/Session/Encoder.pm.
Technical breakdown of the bypass
By reviewing the code changes in the `saveSession` function within `Session.pm`, the researchers found a new conditional logic path. The patch introduces a `filter_sessiondata` function designed to sanitize input by removing specific characters like carriage returns and newlines.
However, the researchers noted that the vulnerability involves how the system handles session encoding. In unpatched versions, if a certain 'ob' (obfuscation) element is missing, the system may fall back to a predictable state.
"As always, with clues from the ether and drama in our heads, we pulled the pin out of the proverbial grenade and jumped in," the watchTowr Labs report stated.
The vulnerability specifically targets the way session data is encoded. The researchers observed that the new code allows for a 'no-ob' prefix, which could potentially be leveraged to manipulate session entries. The `filter_sessiondata` function attempts to prevent manipulation of session files by stripping characters such as `\r`, `\n`, `=`, and `\` from input fields.
Despite these sanitization efforts, the core issue remains the ability to bypass the authentication check through the session loading process. cPanel has released several patches to address the issue across various release tracks.
Users running cPanel & WHM 110.0.x should upgrade to 11.110.0.97 or higher. Other affected tracks include versions 118.0.x, 126.0.x, 132.0.x, 134.0.x, and 136.0.x, all of which have received specific point releases to mitigate the exploit.
