Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

cPanel powers a significant share of the web‑hosting market, with estimates of over two million instances exposed to the internet. The newly disclosed CVE‑2026‑41940, rated 9.8, represents a rare zero‑day that bypasses authentication entirely, allowing attackers to inject carriage‑return line‑feed characters into the login flow. By manipulating the session cookie, threat actors can create a forged session that grants root‑level access to the server, effectively compromising every hosted site and any connected customer data.

Technically, the flaw stems from insufficient sanitization of the HTTP Authorization header. When an attacker supplies a malicious header containing raw "\r\n" characters, cPanel’s daemon writes a session file with attacker‑controlled properties, such as "user=root". This CRLF injection sidesteps the normal encryption of the session token, enabling the creation of a privileged session without valid credentials. Mitigation steps include applying the official patches released for versions 11.86.0.41 through 11.136.0.5, blocking inbound traffic on ports 2083, 2087, 2095 and 2096, or stopping the cpsrvd and cpdavd services until the update is applied.

The rapid response from major hosting providers—Namecheap, KnownHost, HostPapa, InMotion and others—highlights the systemic risk posed by a compromised control panel. By fire‑walling critical ports and rolling out patches, they have averted potential widescale data theft and service outages. For operators, the incident underscores the importance of automated update mechanisms, continuous vulnerability monitoring, and layered defenses such as intrusion‑prevention systems. As the ecosystem moves forward, adopting zero‑trust principles for management interfaces and regularly auditing authentication pathways will be key to reducing the attack surface of widely deployed hosting platforms.