Hackers exploited a critical authentication bypass vulnerability in cPanel & WHM for months before disclosure, affecting over 1.5 million internet-accessible instances. CVE-2026-41940 carries a CVSS score of 9.8 and allows remote, unauthenticated attackers to gain administrative access to control panels, leading to complete system takeover.
According to SecurityWeek, the vulnerability was disclosed on April 28, 2026, when cPanel urged immediate patching for all software versions after 11.40. However, a Reddit post by hosting provider KnownHost revealed the flaw had been actively exploited since February 23, 2026 — over two months before public disclosure.
How the cPanel Vulnerability Works
The authentication bypass exploits a flaw in cPanel’s login flow through session file manipulation. WatchTowr’s analysis revealed that failed login attempts cause the cPanel service daemon to write pre-authentication session files to disk.
Attackers can manipulate cookies so their controlled credentials are written to these files in plaintext. The exploit involves injecting specific characters via an authorization header to write parameters to the session file, then triggering a reload to authenticate using the injected credentials.
The attack sequence:
- Trigger a failed login attempt
- Manipulate cookie data to inject attacker-controlled credentials
- Write malicious parameters to the session file
- Reload the file to authenticate with injected credentials
Successful exploitation grants attackers control over the cPanel host system, its configurations, databases, and all managed websites. On shared hosting servers, this could compromise hundreds or thousands of websites simultaneously.
Mass Exploitation Targets Shared Hosting
A Shodan search conducted by Rapid7 identified approximately 1.5 million internet-accessible cPanel instances potentially vulnerable to attack. The Canadian Centre for Cyber Security warned that successful exploitation could allow attackers to modify server configurations and compromise all websites on shared hosting platforms.
Major hosting providers responded immediately after notification. KnownHost, HostPapa, InMotion, and Namecheap blocked access to cPanel & WHM interfaces while deploying patches. The widespread nature of cPanel deployments across shared hosting environments amplified the potential impact.
Industry Response Timeline
- February 23, 2026: First confirmed exploitation in the wild
- April 28, 2026: Public disclosure and patch release
- Same day: Major hosting providers implement access restrictions
Additional Critical Vulnerabilities Surface
Several other high-severity vulnerabilities emerged simultaneously across different platforms. CVE-2026-41651, dubbed “Pack2TheRoot,” affects the PackageKit Linux package management system with a CVSS score of 8.1.
Deutsche Telekom’s Red Team discovered this time-of-check time-of-use (TOCTOU) race condition that allows unprivileged users to install arbitrary RPM packages with root privileges. The vulnerability impacts PackageKit versions 1.0.2 to 1.3.4, potentially affecting installations up to 14 years old.
Confirmed affected distributions include Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43. The flaw is “reliably exploitable in seconds” according to researchers.
AI Platform Vulnerabilities Exploited Rapidly
LiteLLM, an open-source AI gateway, suffered exploitation of CVE-2026-42208 just 36 hours after public disclosure. Sysdig reported this SQL injection vulnerability carries a CVSS score of 9.3 and affects the proxy API key verification process.
The flaw allows unauthenticated attackers to send crafted Authorization headers to access database queries via error-handling paths. Attackers specifically targeted three database tables containing API keys, provider credentials, and environment configurations.
Attack characteristics observed:
- Automated tool usage with IP rotation
- 21-minute intervals between attacks
- Textbook column-count discovery techniques
- Knowledge of Prisma-generated PostgreSQL identifier casing
GitHub also addressed CVE-2026-3854, a critical remote code execution vulnerability discovered by Wiz using AI analysis. This injection flaw in GitHub’s internal protocol allowed authenticated users to execute arbitrary commands on backend servers with a single git push command.
What This Means
The cPanel zero-day represents a significant supply chain security risk, given the platform’s widespread use across shared hosting environments. The two-month exploitation window before disclosure highlights the challenges of detecting sophisticated authentication bypass attacks.
The rapid exploitation of LiteLLM within 36 hours of disclosure demonstrates how quickly threat actors can weaponize public vulnerability information. This compressed timeline between disclosure and exploitation is becoming increasingly common as automated scanning tools proliferate.
Organizations using affected platforms should prioritize immediate patching and implement additional monitoring for authentication anomalies. The targeting of AI infrastructure through LiteLLM suggests expanding attack surfaces as AI adoption accelerates across enterprise environments.
FAQ
How can I check if my cPanel installation is vulnerable?
Check your cPanel version — all versions after 11.40 are affected by CVE-2026-41940. Update immediately to the latest patched version released April 28, 2026, and monitor authentication logs for suspicious activity.
What makes the Pack2TheRoot Linux vulnerability so dangerous?
CVE-2026-41651 allows any unprivileged user to install packages with root privileges without authentication. It’s easily exploitable in seconds and potentially affects 14 years of PackageKit installations across multiple Linux distributions.
Should I be concerned about the GitHub vulnerability?
GitHub has confirmed CVE-2026-3854 was not exploited in the wild and patches were deployed the same day as disclosure. However, any user with push access could have executed arbitrary commands on shared storage nodes containing millions of repositories.
Sources
- Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months – SecurityWeek
- Robinhood Vulnerability Exploited for Phishing Attacks – SecurityWeek
