Security researchers have identified a critical flaw in cPanel and WebHost Manager that could allow attackers to bypass authentication and gain full control of affected servers, prompting warnings from cybersecurity agencies and hosting providers.
Authentication Bypass Enables Full Administrative Access
The vulnerability, tracked as CVE-2026-41940, allows remote attackers to bypass the login screen and access the administration panel without credentials. Because cPanel and WHM manage core server functions such as websites, email systems, and databases, successful exploitation could provide unrestricted access to sensitive data and configurations.
The software is widely used across the hosting industry, with tens of millions of websites relying on it, increasing the potential scale of impact.
Cybersecurity Agencies Warn Of High Exploitation Risk
Canadian Centre for Cyber Security said in an advisory that exploitation is highly probable and could affect websites hosted on shared infrastructure, including those operated by large hosting providers. The agency urged immediate action to apply patches and prevent unauthorized access.
Hosting Providers Deploy Patches And Temporary Restrictions
Several hosting companies have responded by patching systems and limiting access. Namecheap said it temporarily blocked customer access to cPanel dashboards to prevent exploitation while applying fixes.
HostGator reported that it had patched its systems and classified the issue as a critical authentication bypass vulnerability.
Evidence Suggests Prior Exploitation Attempts
KnownHost said it observed attempts to exploit the flaw as early as February 23. CEO Daniel Pearson said approximately 30 servers showed signs of unauthorized access attempts out of thousands in its network. The company described the activity as attempts rather than confirmed compromises and temporarily restricted access before deploying patches.
Software Vendor Urges Customers To Update Systems
The developer of cPanel has released patches and advised all customers to ensure their systems are updated, noting that all supported versions are affected. The company also issued a fix for WP Squared, a related tool used to manage WordPress sites.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.