CVE-2026-41940 Detail Received This CVE record has recently been published to the CVE List and has been included within the NVD dataset. Description cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Metrics CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0 NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed. CVSS 4.0 Severity and Vector Strings:
NIST: NVD N/A NVD assessment not yet provided.
CNA: VulnCheck CVSS-B 9.3 CRITICAL Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS 3.x Severity and Vector Strings:
CNA: VulnCheck Base Score: 9.8 CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS 2.0 Severity and Vector Strings:
NIST: NVD Base Score: N/A NVD assessment not yet provided. Weakness Enumeration CWE-ID CWE Name Source CWE-306 Missing Authentication for Critical Function VulnCheck Change History 3 change records found show changes CVE Modified by VulnCheck 4/29/2026 9:16:02 PM Action Type Old Value New Value Changed Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVE Modified by CISA-ADP 4/29/2026 3:16:23 PM Action Type Old Value New Value Added Reference https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py
New CVE Received from VulnCheck 4/29/2026 12:16:25 PM Action Type Old Value New Value Added Description cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE CWE-306
Added Reference https://docs.cpanel.net/release-notes/release-notes
Added Reference https://docs.wpsquared.com/changelogs/versions/changelog/#13617
Added Reference https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026
Added Reference https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026
Added Reference https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow
Quick Info CVE Dictionary Entry:
CVE-2026-41940
NVD Published Date:
04/29/2026
NVD Last Modified:
04/29/2026
Source:
VulnCheck