A new cPanel bug let attackers walk into 70 million websites without a password

A critical authentication bypass in cPanel and WHM let attackers walk through the front door of any internet-facing control panel without needing a username or password. The flaw, tracked as CVE-2026-41940 with a CVSS score of 9.8 out of 10, affects every supported version of the software, which manages roughly 70 million domains worldwide. Hosting researchers say active exploits were already running in the wild when the emergency patch dropped — meaning the question for many web hosts is no longer whether their servers are vulnerable, but whether they were already breached before they could update.

The vulnerability sits in cPanel’s session-loading and saving logic, internally tracked as CPANEL-52908. In plain terms, an attacker could send a malformed login request that handed them session credentials to an account they had never authenticated as — including, in the worst cases, root-level access to WHM, the server-side dashboard that controls hosted accounts, mail routing, SSL certificates, and database services. Six release branches needed urgent patching: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. Servers still running end-of-life cPanel versions will not receive a patch at all and should be treated as actively compromised.

cPanel is the standard control panel layer for shared hosting infrastructure across most of the consumer web. A successful breach against a single cPanel server can cascade across thousands of downstream sites — every domain hosted on that machine, plus its email, databases, and customer files. The watchTowr Labs research team described the affected systems as the management plane of a significant part of the internet, and one provider, KnownHost, confirmed exploitation was already occurring in the wild before any disclosure was published.

Namecheap, one of the largest reseller hosts on the platform, took the unusual step of temporarily blocking access to ports 2083 and 2087 — the cPanel and WHM web entry points — for all its customers while the fix was being deployed. By the time the rollout reached the company’s Reseller and Stellar Business fleets, the platform had been effectively dark from the outside for several hours. Other large providers issued similar advisories, with most recommending customers run /scripts/upcp –force as root to force-pull the update rather than wait on the automated maintenance window.

There are caveats to the panic. cPanel itself has not published deep technical detail about the vulnerability — most of the public analysis comes from third-party researchers reverse-engineering the patch, which means the precise exploitation requirements remain partially shrouded. The “70 million domains” figure is a long-standing industry estimate from cPanel’s own marketing materials and includes shared hosting accounts where one control panel server handles thousands of websites; the count of affected unique servers is much smaller. And while exploitation was confirmed before the patch, no large public-facing breach attributed to this CVE has yet been disclosed — that may change in the coming weeks as forensic investigations close, or it may not.

The episode fits a pattern security researchers have flagged repeatedly: the consumer-hosting management layer is one of the highest-value, lowest-scrutiny targets on the internet. A flaw in a single control panel component can hand an attacker keys to thousands of low-defended small business and personal sites simultaneously, with no exotic exploitation chain required. Authentication bypass bugs in cPanel-class software are highly sought after on dark markets, and the lag between disclosure and full patch coverage tends to be measured in weeks for unmanaged independent servers — long after the public news cycle has moved on.

cPanel released the emergency patches on April 28, with Namecheap and other major providers completing rollouts in the early hours of April 29. Server operators running cPanel or WHM should verify they are on one of the patched build numbers immediately, and treat any server that ran an unpatched version exposed to the internet in the days before the patch as potentially compromised. cPanel has not committed to a public post-incident report.