Hackers have been exploiting a critical authentication bypass vulnerability in cPanel & WHM for months before its April 28 disclosure, with the flaw affecting approximately 1.5 million internet-accessible instances. CVE-2026-41940 carries a CVSS score of 9.8 and allows remote, unauthenticated attackers to gain administrative access to control panels.
According to SecurityWeek, the vulnerability affects all cPanel software versions after 11.40. KnownHost reported on Reddit that exploitation began on February 23, 2026 — over two months before public disclosure.
How the Attack Works
The vulnerability exploits cPanel’s login flow through a sophisticated session manipulation technique. WatchTowr’s analysis revealed that failed login attempts cause the cPanel service daemon to write pre-authentication session files to disk.
Attackers can manipulate cookies to inject controlled credentials into these session files in plaintext. The exploit works by:
- Injecting specific characters via authorization headers
- Writing parameters directly to session files
- Triggering file reloads to authenticate using injected credentials
This time-of-check time-of-use (TOCTOU) flaw bypasses authentication entirely, granting immediate administrative access.
Impact on Hosting Infrastructure
Successful exploitation grants attackers complete control over cPanel host systems, configurations, databases, and managed websites. The Canadian Centre for Cyber Security warns that attackers can modify server configurations and potentially compromise all websites on shared hosting servers.
Rapid7’s research using Shodan identified approximately 1.5 million exposed cPanel instances globally. Major hosting providers including KnownHost, HostPapa, InMotion, and Namecheap immediately blocked access to cPanel & WHM interfaces after notification.
The vulnerability poses particular risk to shared hosting environments where a single compromised control panel can affect hundreds or thousands of customer websites.
Additional Critical Vulnerabilities
Several other high-severity vulnerabilities emerged simultaneously across different platforms:
PackageKit ‘Pack2TheRoot’ Flaw
CVE-2026-41651 affects PackageKit versions 1.0.2 to 1.3.4, with a CVSS score of 8.1. Deutsche Telekom’s Red Team discovered this TOCTOU race condition that allows unprivileged users to install arbitrary RPM packages with root privileges.
The flaw impacts multiple Linux distributions including Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Trixie 13.4, RockyLinux 10.1, and Fedora 43. The vulnerability likely existed for 14 years, dating back to PackageKit version 0.8.1.
LiteLLM SQL Injection Exploited Rapidly
CVE-2026-42208 in the open-source AI gateway LiteLLM was exploited within 36 hours of GitHub Advisory indexing. Sysdig reported that attackers specifically targeted database tables containing API keys, provider credentials, and environment configurations.
The SQL injection occurs during proxy API key verification, allowing unauthenticated attackers to access databases through specially crafted Authorization headers.
GitHub and Robinhood Incidents
Wiz researchers discovered CVE-2026-3854, a critical remote code execution vulnerability in GitHub’s internal Git infrastructure. The flaw affected millions of repositories on both GitHub.com and GitHub Enterprise Server, allowing authenticated users to execute arbitrary commands through standard git push operations.
Separately, Robinhood confirmed that attackers exploited its account creation process for phishing campaigns. The attack leveraged Gmail’s “dot trick” to create accounts with modified email addresses, then injected malicious HTML into device name fields during signup.
https://x.com/AskRobinhood/status/2048649252352487683
What This Means
The simultaneous emergence of these critical vulnerabilities highlights the expanding attack surface as organizations rely increasingly on web-based management platforms and AI tools. The cPanel vulnerability’s two-month exploitation window before disclosure demonstrates how zero-day attacks can persist undetected in widely-used infrastructure.
Hosting providers and system administrators should prioritize immediate patching of affected systems. The PackageKit flaw’s 14-year lifespan underscores the importance of regular security audits for foundational components that may contain long-standing vulnerabilities.
For organizations using AI gateways like LiteLLM, the rapid post-disclosure exploitation emphasizes the need for automated patch management and proactive monitoring of security advisories.
FAQ
How can I check if my cPanel installation is vulnerable to CVE-2026-41940?
Any cPanel version after 11.40 is affected. Check your version in the cPanel interface under “Server Information” and apply the latest security update immediately if you’re running an affected version.
What should hosting providers do to protect against these vulnerabilities?
Hosting providers should immediately patch cPanel & WHM, audit PackageKit installations across Linux servers, and implement network-level blocking for unpatched systems. Monitor for unusual authentication attempts and privilege escalation activities.
Are there indicators of compromise for these attacks?
For cPanel attacks, look for unusual session file creation, failed login attempts followed by successful administrative access, and unauthorized configuration changes. PackageKit exploitation may show unexpected package installations or privilege escalation in system logs.
