A critical authentication bypass vulnerability in cPanel software has come under heavy exploitation from multiple threat actors, putting millions of websites at risk across tens of thousands of compromised instances. CVE-2026-41940, assigned a critical CVSS score of 9.8, affects all supported versions of cPanel, WebHost Manager (WHM), and WP Squared products.
According to Dark Reading, the vulnerability allows attackers to gain administrative access and take complete control of servers and hosted websites. KnownHost CEO Daniel Pearson confirmed on Reddit that the flaw had been exploited “at least for the last 30 days,” with attack attempts traced back to February 23.
Timeline of Discovery and Exploitation
The vulnerability disclosure and exploitation unfolded rapidly across a four-day period in late April. On April 28, cPanel issued a security update addressing the authentication bypass flaw affecting all supported product versions.
The next day, April 29, the vulnerability received its CVE identifier and critical severity rating. WatchTowr Labs published a proof-of-concept exploit alongside technical analysis, describing the flaw as a “disaster” vulnerability. Censys Internet scanning data showed the cPanel flaw came under attack from multiple threat actors within 24 hours of public disclosure.
KnownHost flagged CVE-2026-41940 as a zero-day vulnerability, reporting approximately 30 servers showing signs of attempted exploitation. This revelation suggests the vulnerability was being actively exploited before its public disclosure.
Linux Copy Fail Vulnerability Adds to Security Concerns
A separate critical Linux kernel vulnerability, CVE-2026-31431 dubbed “Copy Fail,” has also entered active exploitation. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Friday, requiring federal agencies to patch within two weeks.
The Copy Fail vulnerability affects the kernel’s authentication AEAD template and has impacted all Linux distributions since 2017. According to Microsoft’s security analysis, successful exploitation leads to full root privilege escalation and could facilitate container breakout and lateral movement in shared environments.
Exploitation Characteristics
Microsoft reported observing limited in-the-wild exploitation, primarily surrounding proof-of-concept testing. However, the company warns that despite minimal current activity, the vulnerability has broad applicability with a working PoC exploit publicly available.
The flaw can be exploited by any local, unprivileged user and chained with SSH access, malicious CI jobs, or container access to achieve root shell access. Microsoft notes the vulnerability’s “reliability, stealth (in-memory-only modification), and cross-platform applicability” make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.
Android and AI Security Vulnerabilities Surface
Google patched a critical remote code execution vulnerability in Android’s System component, tracked as CVE-2026-0073. According to Google’s security advisory, the flaw affects Android Debug Bridge daemon (adbd) and allows attackers to execute code as the shell user without additional privileges or user interaction.
Meanwhile, AI-focused security flaws emerged in Google’s Gemini CLI tool and Anthropic’s Claude Chrome extension. Pillar Security discovered a critical vulnerability in Gemini CLI with a perfect CVSS score of 10.0, which could enable supply chain attacks through indirect prompt injection in GitHub issues.
AI Agent Takeover Risks
LayerX security researchers identified “ClaudeBleed,” a vulnerability in Claude’s Chrome extension allowing attackers to take over the AI agent. The flaw combines lax permissions with poorly implemented origin trust, enabling any Chrome extension to run commands in Claude without proper verification.
The vulnerability allows attackers to perform remote prompt injection and control AI agent actions by creating malicious extensions with content scripts configured to run in the Main world execution context.
Patch Status and Vendor Response
cPanel addressed CVE-2026-41940 with security updates released on April 28, though the rapid exploitation timeline highlights the challenge of coordinated disclosure in today’s threat landscape. Google resolved the Gemini CLI vulnerability on April 24 in version 0.39.1, implementing proper tool allowlisting under yolo mode.
For the Copy Fail Linux vulnerability, patches are available through standard distribution channels, though the decade-long presence of the flaw in production systems complicates remediation efforts. CISA’s KEV listing mandates federal agency patching within two weeks of the May 3 addition date.
What This Means
The rapid exploitation of CVE-2026-41940 demonstrates how quickly threat actors can weaponize disclosed vulnerabilities, particularly those affecting widely-deployed infrastructure software like cPanel. The 24-hour window between disclosure and active exploitation represents a significant compression of the traditional vulnerability lifecycle.
The emergence of AI-specific vulnerabilities in Gemini CLI and Claude’s Chrome extension signals a new attack surface as AI tools become integrated into development workflows. These flaws highlight the need for security-first design in AI agent architectures, particularly around prompt injection and execution context validation.
Organizations should prioritize patching critical infrastructure components and implement defense-in-depth strategies that don’t rely solely on vendor patch timelines. The combination of traditional infrastructure vulnerabilities with emerging AI security risks creates a complex threat landscape requiring updated security frameworks.
FAQ
What makes CVE-2026-41940 particularly dangerous?
The cPanel vulnerability allows complete administrative takeover of web hosting servers without authentication, affecting millions of websites. Its critical 9.8 CVSS score reflects the ease of exploitation and potential for widespread impact across hosting infrastructure.
How long was the Copy Fail Linux vulnerability present before discovery?
CVE-2026-31431 existed undetected for almost a decade, affecting all Linux distributions since 2017. The vulnerability lurked in the kernel’s authentication AEAD template, allowing privilege escalation to root access.
Are AI security vulnerabilities becoming more common?
Yes, as AI tools integrate into development workflows and browser extensions, new attack vectors emerge. The Gemini CLI and Claude Chrome extension vulnerabilities demonstrate how prompt injection and execution context validation represent novel security challenges in AI systems.
