Missing authentication in cPanel & WHM (CVE-2026-41940) — control-panel takeover without authentication, ransomware use confirmed
cPanel & WHM and WP2, a widely used web-hosting control panel, have a missing-authentication flaw in the login flow that lets an unauthenticated remote attacker gain unauthorized access to the control panel. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 9.8 Critical).
Key facts
- CVE IDCVE-2026-41940
- CVSS base score9.8 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)WebPros cPanel & WHM and WP2 (WordPress Squared)
- CWECWE-306
- ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
- Remediation due2026-05-03 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Missing authentication (CWE-306) in the login flow of cPanel & WHM / WP2
- An unauthenticated remote attacker gains unauthorized access to the control panel
- cPanel/WHM is the most widely used hosting control panel = one compromise ripples to many sites
- Listed in CISA KEV = exploitation confirmed; ransomware use also confirmed (CVSS 9.8 Critical)
- Response: fix per vendor; minimize control-panel exposure and enforce multi-factor authentication
CVE-2026-41940 is a missing-authentication-for-a-critical-function vulnerability (CWE-306) in WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared). It was added to CISA's KEV catalog on April 30, 2026, with ransomware use also confirmed.
Per NVD, an authentication bypass in the login flow lets an unauthenticated remote attacker gain unauthorized access to the control panel. cPanel & WHM is one of the most widely used control panels in the hosting industry, centrally managing sites, email, databases, and domains on a web server. Seizing it without authentication lets an attacker manipulate the many websites and data on that server, so damage can escalate rapidly.
CISA has also confirmed exploitation in ransomware campaigns, making priority high. In setups like shared hosting, where a single server hosts many customer sites, compromising the control panel can lead to cascading damage.
Key response: apply fixes/mitigations per WebPros/cPanel's official instructions. For cloud use, follow BOD 22-01, and discontinue use if mitigations are unavailable. Minimizing the control panel's internet exposure and enforcing multi-factor authentication also help. The federal civilian remediation deadline was a short May 3, 2026.
Why it matters
Missing authentication in a hosting control panel plus confirmed ransomware use. Hosting providers and server admins should apply fixes immediately, minimize control-panel exposure, enforce MFA, and verify backups — addressing the risk that one compromise ripples to many sites.
FAQ
What are cPanel & WHM?
Why can damage be so large?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- Vendor / reference advisory
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).