Security Alert: Critical Authentication Bypass Vulnerability in cPanel

Coalition has notified policyholders about a critical vulnerability in cPanel that allows remote attackers to bypass authentication and gain root access on the WebHost Manager (WHM). 

cPanel is one of the most widely deployed web hosting control panel platforms globally. Shodan Internet scans show approximately 1.5 million exposed cPanel instances. 

With root-level access to WHM, attackers can access every website, database, and user account hosted on a particular server. 

Following details of active exploitation, cPanel released a fix. Due to the severity of the vulnerability and the widespread use of cPanel/WHM, hosting providers are under pressure to patch as quickly as possible.

What’s happening?

WHM provides root-level administration (access to the server, SSL certificates, etc.), and cPanel is the user-facing panel for individual hosting accounts. WHM/cPanel is ubiquitous across the internet; many consider it one of the most user-friendly web hosting management suites, running nearly 70 million domains.

According to watchTowr Labs: “Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom was the Internet and the apartments were websites. For everything.” 

The vulnerability (CVE-2026-41940) received a near-top severity score of 9.8 from CVSS, with speculation of exploitation in the wild as early as February.

How should businesses address this?

Coalition recommends that all organizations running on-premise instances of cPanel and WHM immediately patch, following guidance from the vendor advisory. cPanel has a released a patch for the following:

 - 11.110.0.97

 - 11.118.0.63

 - 11.126.0.54

 - 11.130.0.18

 - 11.132.0.29

 - 11.136.0.5

 - 11.134.0.20

If you are unable to update at this time, it is highly recommended that you disable all access to the cPanel and WHM systems on the following ports until the patch can be installed:

 - 2083

 - 2087

Who’s at risk?

The vendor states that threat actors are actively exploiting versions 11.40 and later in the wild. 

Many businesses have systems hosted with a web hosting provider and will rely on the vendor to patch. In such cases, businesses should directly contact their web hosting provider and confirm patching is complete.

How Coalition is responding

Coalition notified all impacted policyholders on April 29, 2026. We are working with policyholders to track progress from their web hosting providers to ensure they have applied the appropriate fix. We are also helping policyholders with on-premises instances remediate the issue. 

Coalition policyholders can log in to Coalition Control® for the latest updates.

For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

SPOT & STOP CYBER THREATS 

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.