What happened
cPanel and WebHost Manager have received an emergency security update addressing a critical authentication bypass vulnerability tracked as CVE-2026-41940, with a CVSS score of 9.8. The flaw affects all currently supported versions of both products except those released in the patched builds published on April 28, 2026.
The vulnerability allows an unauthenticated attacker to gain access to the control panel without valid credentials. No technical details have been publicly disclosed, but the severity of the response indicates significant risk. Hosting provider Namecheap temporarily blocked access to ports 2083 and 2087, the standard ports for cPanel and WHM access, to protect customers while patches were made available.
Patched versions are available across six supported branches. Because the update requires manual intervention, cPanel recommends that administrators run /scripts/upcp –force to retrieve and install the patched build, as the standard update process may not execute if the system believes it is already current. Servers running unsupported cPanel versions are not eligible for this security update and should be upgraded to a supported branch immediately.
The access granted through cPanel and WHM is extensive. A compromised cPanel account provides control over websites, databases, email, and configuration files containing credentials. A compromised WHM instance provides server-level control over every hosted account on the machine, enabling account creation and deletion, persistent access establishment, and use of the server for spam, malware delivery, or proxy operations.
Who is affected
Hosting providers, web agencies, and any organization running cPanel or WHM on supported versions prior to the patched releases are directly exposed. Given that cPanel and WHM are among the most widely deployed hosting control panels globally, the potential attack surface is broad. Website owners whose hosting is managed through these interfaces on unpatched servers are also within the exposure window.
Why CISOs should care
A CVSS 9.8 authentication bypass on one of the most widely deployed hosting control panels is about as high-priority as vulnerability response gets. The manual update requirement means this will not resolve itself through automated patch cycles. Organizations and hosting providers that do not actively run the update command remain vulnerable, and the breadth of access a compromised instance provides, from web shells and backdoors to credential theft and spam infrastructure, makes this an attractive target for rapid exploitation once technical details circulate.
3 practical actions
- Run /scripts/upcp –force on all cPanel and WHM instances immediately: The standard update process will not apply this patch if the system believes it is already current. Manual execution of this command is required to retrieve and install the patched build across all supported version branches.
- Audit cPanel and WHM access logs for anomalous authentication activity: Given the nature of an authentication bypass, review logs for unexpected logins, account creation activity, and configuration changes that may indicate exploitation occurred before the patch was applied, particularly on any instance where ports 2083 or 2087 were accessible from the public internet.
- Upgrade any cPanel instances running unsupported versions as an immediate priority: Servers on unsupported branches are ineligible for this security update and remain permanently exposed to this vulnerability. Upgrade to a supported version before applying the emergency patch.
Also in the news:
- cPanel and WHM Emergency Update Fixes Critical Authentication Bypass Bug
- Amtrak Data Breach Exposes Millions of Customer Records
- UK Biobank Health Data Breach Continues as New Listings Appear on Chinese Platform
- Europol Busts €50 Million Online Fraud Network Running Corporate-Style Scam Call Centers
