Hackers have been exploiting a critical authentication bypass vulnerability in cPanel & WHM for months, with the zero-day attack campaign beginning February 23, 2026. The flaw, tracked as CVE-2026-41940 with a CVSS score of 9.8, affects all cPanel versions after 11.40 and allows remote, unauthenticated attackers to gain administrative control over web hosting servers.
SecurityWeek reported that cPanel disclosed the vulnerability on April 28, urging immediate patching while warning that approximately 1.5 million internet-accessible cPanel instances remain exposed according to Shodan searches.
How the cPanel Vulnerability Works
The authentication bypass exploits a flaw in cPanel’s login flow where failed authentication attempts create exploitable session files. According to WatchTowr’s analysis, attackers can manipulate cookies to inject controlled credentials into pre-authentication session files written to disk.
The attack sequence involves injecting specific characters via authorization headers to write parameters to the session file, then triggering a reload to authenticate using the injected credentials. This grants attackers complete control over the cPanel host system, its configurations, databases, and all managed websites.
Rapid7 noted that successful exploitation of CVE-2026-41940 essentially leads to system takeover, with the Canadian Centre for Cyber Security warning that attackers could modify server configurations and compromise all websites on shared hosting servers.
Pack2TheRoot Threatens Linux Systems
A separate high-severity vulnerability dubbed “Pack2TheRoot” allows unprivileged Linux users to install packages with root privileges. CVE-2026-41651, scoring 8.1 on CVSS, affects the PackageKit cross-distribution package management layer through a time-of-check time-of-use race condition.
Deutsche Telekom’s Red Team discovered the flaw impacts PackageKit versions 1.0.2 to 1.3.4, though the vulnerability likely existed since version 0.8.1 released 14 years ago. Affected distributions include Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43.
The vulnerability allows unprivileged users to install arbitrary RPM packages as root without authentication by exploiting corrupted transaction flags that bypass authorization checks.
AI Gateway Hit by SQL Injection Zero-Day
Cybercriminals exploited a critical SQL injection vulnerability in the open source AI gateway LiteLLM just 36 hours after public disclosure. CVE-2026-42208, with a CVSS score of 9.3, affects the proxy API key verification process and allows unauthenticated attackers to access database tables.
Sysdig reported that LiteLLM’s maintainers disclosed the flaw on April 20, explaining that database queries during key verification failed to properly parameterize caller-supplied values. Attackers can send specially crafted Authorization headers to any LLM API route and access queries through the proxy’s error-handling path.
The attacks, observed on April 26, specifically targeted three database tables containing API keys, provider credentials, and environment variable configurations. Despite the targeted nature, no continuation was observed and extracted credentials have not been abused.
GitHub Infrastructure Vulnerability Exposed Millions
Cloud security firm Wiz discovered a critical remote code execution vulnerability in GitHub’s internal Git infrastructure that exposed millions of repositories. CVE-2026-3854 affected both GitHub Enterprise Server and GitHub.com, allowing any authenticated user to execute arbitrary commands with a single git push command.
According to Wiz, the vulnerability exploited an injection flaw in GitHub’s internal protocol using standard git clients. On GitHub Enterprise Server, attackers could fully compromise servers and access all repositories and internal secrets. On GitHub.com, the flaw enabled remote code execution on shared storage nodes containing millions of public and private repositories.
GitHub quickly addressed the vulnerability after Wiz reported it on March 4, deploying a fix to GitHub.com the same day. The company’s forensic investigation found no evidence of exploitation in the wild.
Robinhood Account Creation Abused for Phishing
Investing platform Robinhood confirmed cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails. The attack leveraged Gmail’s “dot trick” where periods in usernames are ignored by Gmail but treated as distinct accounts by Robinhood.
Attackers created new Robinhood accounts using modified Gmail addresses and injected malicious HTML code into device name fields during signup. This triggered legitimate “recent login” notification emails from Robinhood that rendered unsanitized HTML, embedding clickable phishing links that passed all authentication checks.
Robinhood stated the emails originated from ‘[email protected]’ with the subject line ‘Your recent login to Robinhood.’ The company emphasized this was not a breach of systems or customer accounts, and personal information and funds were not impacted.
What This Means
These vulnerabilities highlight the persistent challenge of zero-day exploitation across critical infrastructure components. The cPanel attack demonstrates how authentication bypass flaws can remain undetected for months, potentially affecting millions of web hosting customers worldwide.
The rapid exploitation of LiteLLM’s SQL injection vulnerability within 36 hours of disclosure shows how quickly threat actors monitor and weaponize newly published CVEs. Organizations deploying AI gateways and similar infrastructure must implement emergency patching procedures.
The GitHub vulnerability underscores risks in shared infrastructure environments where a single flaw can expose millions of repositories. While authentication requirements may seem to limit exposure, the ease of exploitation using standard tools makes such vulnerabilities particularly dangerous.
FAQ
What makes CVE-2026-41940 so dangerous for web hosting providers?
The vulnerability allows completely unauthenticated attackers to gain administrative control over cPanel servers, potentially compromising all websites hosted on shared servers. With 1.5 million exposed instances and active exploitation since February, the attack surface is massive.
How can organizations protect against Pack2TheRoot attacks?
Update PackageKit to the latest patched version immediately. Organizations should also review user privileges and implement additional access controls around package installation, especially in multi-user environments where privilege escalation poses significant risks.
Why are AI infrastructure vulnerabilities particularly concerning?
AI gateways like LiteLLM often handle sensitive API keys and credentials for multiple AI services. A single SQL injection can expose authentication tokens for numerous downstream services, creating a cascade of potential compromises across an organization’s AI infrastructure.
Related news
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access – SecurityWeek
- Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure – SecurityWeek
- Critical GitHub Vulnerability Exposed Millions of Repositories – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
