Hackers have been exploiting a critical authentication bypass vulnerability in cPanel & WHM for months before its April 28 disclosure, affecting over 1.5 million internet-accessible instances. CVE-2026-41940 carries a CVSS score of 9.8 and allows remote, unauthenticated attackers to gain administrative access to web hosting control panels.
According to SecurityWeek, hosting provider KnownHost reported that the vulnerability has been actively exploited since February 23, 2026 — more than two months before public disclosure. The flaw affects all cPanel software versions after 11.40.
Technical Details of the Authentication Bypass
Security researchers at WatchTowr discovered that the vulnerability exploits cPanel’s login flow through session file manipulation. When a login attempt fails, the cPanel service daemon writes a pre-authentication session file to disk, which attackers can manipulate through specially crafted cookies.
The attack works by injecting specific characters via an authorization header to write attacker-controlled credentials to the session file in plaintext. Attackers then trigger a reload of the file to authenticate using the injected credentials, bypassing normal authentication mechanisms entirely.
Rapid7 noted that successful exploitation grants attackers “control over the cPanel host system, its configurations and databases, and websites it manages.” A Shodan search revealed approximately 1.5 million internet-accessible cPanel instances potentially vulnerable to these attacks.
Widespread Impact on Hosting Infrastructure
The Canadian Centre for Cyber Security warned that successful exploitation could allow attackers to modify server configurations and potentially compromise all websites on shared hosting servers. This creates a cascading security risk where a single compromised cPanel instance can affect hundreds or thousands of hosted websites.
Major hosting providers including KnownHost, HostPapa, InMotion, and Namecheap immediately blocked access to cPanel & WHM interfaces after being notified of the vulnerability. The widespread adoption of cPanel in the web hosting industry amplifies the potential impact of this zero-day exploitation.
The vulnerability particularly threatens shared hosting environments where multiple customer websites operate on the same server infrastructure, managed through a single cPanel installation.
Linux Kernel ‘Copy Fail’ Adds to Security Concerns
A separate critical vulnerability dubbed “Copy Fail” (CVE-2026-31431) has begun seeing active exploitation, according to CISA’s Known Exploited Vulnerabilities catalog. The Linux kernel flaw, present since 2017, allows authenticated attackers to escalate privileges to root access.
Microsoft reported observing “limited in-the-wild exploitation, mainly surrounding proof-of-concept testing,” but warned of the vulnerability’s broad applicability across cloud, CI/CD, and Kubernetes environments. The flaw affects the kernel’s authentication AEAD template and can be exploited by any local, unprivileged user.
Copy Fail’s reliability and stealth characteristics make it particularly dangerous in multi-tenant environments where container breakout and lateral movement become possible attack vectors.
AI Gateway and GitHub Vulnerabilities Under Attack
The LiteLLM AI gateway suffered a critical SQL injection vulnerability (CVE-2026-42208) that was exploited within 36 hours of public disclosure on April 24. Sysdig reported that attackers specifically targeted database tables containing API keys, provider credentials, and environment configurations.
The pre-authentication SQL injection occurred during proxy API key verification, allowing unauthenticated attackers to access the LiteLLM proxy’s database through specially crafted Authorization headers. Despite the targeted nature of the attacks, no continuation was observed and extracted credentials have not been abused.
Separately, Wiz researchers discovered CVE-2026-3854, a critical remote code execution vulnerability in GitHub’s internal Git infrastructure that exposed millions of repositories. The flaw affected GitHub.com, GitHub Enterprise Server, and related cloud services, though GitHub’s forensic investigation found no evidence of exploitation in the wild.
Robinhood Phishing Exploit Demonstrates Creative Attack Vectors
Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails over the weekend. The attack leveraged Gmail’s “dot trick” where periods in email addresses are ignored, while Robinhood treated each variation as distinct accounts.
Attackers created new Robinhood accounts using modified versions of existing Gmail addresses and injected malicious HTML code into device name fields during signup. This triggered legitimate “recent login” notification emails from Robinhood that rendered unsanitized HTML and embedded clickable phishing links.
Robinhood stated that “personal information and funds were not impacted” and emphasized this was “not a breach of our systems or customer accounts.” The emails passed all authentication checks since they originated from Robinhood’s own systems, making them highly convincing to recipients.
What This Means
The recent wave of critical vulnerabilities demonstrates how quickly attackers adapt to newly disclosed flaws, with exploitation occurring within hours or days of public disclosure. The cPanel zero-day’s months-long exploitation period before discovery highlights the challenge of detecting sophisticated authentication bypass attacks.
Organizations running affected software face immediate risks requiring emergency patching cycles. The diversity of attack vectors — from web hosting infrastructure to AI gateways to social platforms — shows that no technology stack is immune to critical vulnerabilities.
The speed of exploitation following disclosure emphasizes the importance of coordinated vulnerability disclosure and rapid patch deployment. Security teams must prioritize these high-CVSS vulnerabilities while implementing defense-in-depth strategies to limit blast radius when exploitation occurs.
FAQ
How can I check if my cPanel installation is vulnerable to CVE-2026-41940?
All cPanel & WHM versions after 11.40 are affected. Check your version in the cPanel interface and apply the latest security updates immediately. If you’re using a hosting provider, contact them to confirm patching status.
What makes the Copy Fail Linux vulnerability particularly dangerous?
CVE-2026-31431 affects nearly all Linux distributions since 2017 and allows any authenticated user to escalate to root privileges. It’s especially dangerous in cloud and container environments where it can facilitate breakouts and lateral movement.
Should I be concerned about the Robinhood phishing attack if I don’t use their platform?
Yes, the attack technique demonstrates how legitimate email systems can be abused for phishing. Always verify suspicious login notifications by accessing accounts directly through official websites rather than clicking email links.
Related news
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Exploitation of ‘Copy Fail’ Linux Vulnerability Begins – SecurityWeek
- Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
