Critical cPanel CVE-2026-41940 enables auth bypass. Patch now.

A critical vulnerability in cPanel and WebHost Manager (WHM) is being actively weaponised against government and MSP networks. CVE-2026-41940 allows authentication bypass and remote attackers to gain elevated control [The Hacker News].

── What shipped ──

• Vulnerability class: authentication bypass leading to remote code execution under elevated privileges
• Affected products: cPanel and WHM (specific version range — see vendor advisory)
• Active exploitation: government and managed service provider (MSP) networks are confirmed targets
• Patch: vendor patches are available; apply immediately

── Why it matters ──

cPanel and WHM are the dominant control-panel software in the shared hosting market and across many small business and agency hosting environments. The reach is broad and the attack surface is well-known.

This is the second critical web-server-class CVE in May 2026 — the Apache HTTP/2 flaw in TX_010 was the first. Both target the same operational surface: web-facing infrastructure that has historically been deployed and forgotten.

Your exposure check:

1. Check version. Run whmapi1 listrpms | grep cpanel or cat /usr/local/cpanel/version. Compare against the patched version in the vendor advisory.
2. Restrict WHM access to known IPs immediately if you cannot patch tonight.
3. Audit logs for unusual login activity since early May.

CDN protection does not help here — exploitation typically targets the cPanel/WHM admin interface directly.

── Editor's take ──

Two critical web-server CVEs in May with active exploitation in both. This is the cluster pattern that historically precedes a wave of mass compromises. Patch tonight. If you operate any cPanel infrastructure, do not let this become a Q3 incident response story.