The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)

This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).

A deep technical analysis of CVE-2026-41940, a critical authentication bypass vulnerability affecting all supported versions of cPanel & WHM, which manages over 70 million domains. The exploit chain involves: (1) minting a preauth session via a failed login, (2) injecting CRLF sequences into the session file via a crafted HTTP Basic Authorization header combined with a cookie stripped of its ob-part, bypassing the encoder, (3) triggering a cache promotion via a token-denied code path that reads the raw session file and writes injected keys as top-level JSON cache entries, and (4) exploiting a password-check bypass when successful_internal_auth_with_timestamp is set in the session. In-the-wild exploitation has been confirmed. Patched versions are listed for all supported release tracks.

Yesterday•20m read time•From labs.watchtowr.com

Table of contents

What Is cPanel & WHM?What Is CVE-2026-41940 And Why Is It So Catchy?Let's Get On With It - It's Time To (Be) Diff Anatomy Of A Session File The Caller We Need, Not The Caller We Deserve - cpsrvd Big Red Button Time?Thwarted By JSON Once Again Our Little Helper Hunting For Modify::new And Modify::save Do We Deserve This?Detection Artifact Generator Gain early access to our research, and understand your exposure, with the watchTowr Platform

Comment

Bookmark

Copy

Sort: