Sign in Subscribe
Cybersecurity

CVE-2026-41940: A Single Cookie Just Owned 70 Million Websites

A CRLF injection in the cPanel/WHM login flow lets unauthenticated attackers write user=root into a session file. Active exploitation includes Mirai variants and a ransomware strain called "Sorry." Here's what to patch and how.

Brian AI

5 min read
Dark server room with glowing red and blue racks and a holographic broken padlock representing the cPanel CVE-2026-41940 authentication bypass

On April 28, 2026, a single CRLF injection inside an HTTP header turned every supported version of cPanel & WHM into a free-for-all. The bug — now tracked as CVE-2026-41940 — has a CVSS score of 9.8, requires no authentication, and lets a remote attacker write user=root directly into a cPanel session file. Within 24 hours of public disclosure, security firm Censys had already observed mass exploitation, including Mirai botnet variants and a fresh ransomware strain called "Sorry."

If your stack — or any of your customers' stacks — sits on a host running cPanel/WHM, this is the kind of advisory you stop reading meetings for and patch immediately. cPanel powers more than 70 million domains, the bulk of the small-and-mid-business hosting market, and the vulnerability cascades cleanly from a single rooted control panel to every tenant on the same node.

What CVE-2026-41940 actually is

The disclosure came from cPanel itself on April 28, with a CVE assigned by MITRE the following day. Within hours, infosec firm watchTowr Labs published a full technical writeup along with a working proof-of-concept.

The root cause is a CRLF (Carriage Return Line Feed) injection in the login and session-loading code path. The relevant pieces:

  • cPanel/WHM identifies authenticated users via a whostmgrsession cookie. The cookie payload is normally encrypted, with a fixed segment that pegs it to the right code path.
  • By omitting the expected segment of the cookie value and sending a crafted HTTP Authorization: Basic header containing raw \r\n bytes, the attacker can force the server into a code path that writes the session to disk without sanitizing the inbound data.
  • The injected newlines let the attacker insert arbitrary key/value pairs — including, fatally, user=root — into the on-disk session file.
  • On the next request with that session cookie, the server reads the tampered file and treats the request as an authenticated root WHM user. Game over.

From there, the attacker has the full WHM administrative surface: account creation, package edits, mail, DNS, SSH access for any cPanel user, and, in many configurations, a quick ramp to host-level RCE.

Glowing keyboard with a broken digital chain floating above, illustrating a critical cPanel authentication bypass

Affected versions

The wording cPanel chose in its own advisory is unusually blunt: this affects all currently supported versions of cPanel & WHM. Not "some." Not "the EDGE tier." All of them. The earliest affected lineage traces back to versions after 11.40, meaning effectively every cPanel install in production today before the patch.

The fixed builds, depending on the release tier you track, are:

  • 11.110.0.51
  • 11.112.0.34
  • 11.114.0.34
  • 11.116.0.13
  • 11.118.0.18

cPanel's recommended action is to run /scripts/upcp --force, which forces an update even on systems that believe they're already current. If you're on a tier that pinned versions, this is the moment to unpin.

Active exploitation: Mirai, "Sorry" ransomware, government and MSP networks

Vulnerabilities at this severity tier almost always get exploited within days. CVE-2026-41940 was exploited within hours.

  • Censys reported scanning activity matching the watchTowr PoC inside the first 24 hours of disclosure, expanding into multi-actor exploitation by April 30.
  • The Hacker News documented active weaponization against government and managed service provider (MSP) networks — a category of target where a single rooted host can pivot into thousands of downstream client environments.
  • Observed payloads include Mirai botnet variants (the long-running IoT DDoS lineage), credential-harvesting droppers, and a previously undocumented ransomware strain branded "Sorry", which targets the cPanel home directories of customer accounts and demands payment per affected tenant rather than per host.
  • Three national cyber agencies — Singapore CSA, Canada CCCS, and Australia's ACSC — issued advisories in the same week, treating the bug as a tier-one incident.

The combination of an unauthenticated bug, a public PoC, and a control-panel platform that powers tens of millions of shared-hosting tenants is the textbook recipe for "the internet quietly gets owned." This time, infosec firms aren't bothering to soften the language: watchTowr titled their writeup "The Internet Is Falling Down, Falling Down, Falling Down."

What to do right now

If you administer a cPanel/WHM server — or you're responsible for any application stack hosted on one — treat this as a same-day patch.

  1. Patch. Run /scripts/upcp --force on every cPanel/WHM host you operate. Do not wait for the normal update cron.
  2. If you cannot patch immediately, the major national CERTs recommend either:
    • Restricting external connectivity to ports 2083, 2087, 2095, and 2096 at the network firewall level.
    • Or stopping the cpsrvd and cpdavd internal services until the patch is applied.
  3. Audit for compromise. Check /var/cpanel/sessions/ for unexpected session files containing user=root. Review WHM's Manage Wheel Group Users, recently created accounts, and any new SSH keys in /root/.ssh/ and per-account ~/.ssh/ directories.
  4. Force-rotate credentials for the WHM root account, all reseller accounts, and any API tokens. The patch closes the door but does not invalidate sessions or keys an attacker may have already exfiltrated.
  5. If you're an MSP, push a notification to every client tenant whose stack lives on a shared cPanel host. The blast radius from one rooted node to every site on it is unforgiving.
Data center hallway with red intrusion alert spreading across server racks, representing active cPanel CVE-2026-41940 exploitation

The structural lesson

CRLF injection is not a new bug class. It is an old one — old enough that the OWASP entry on it has been stable for years and most modern web frameworks reject it at the request-parser layer by default. Its presence in 2026 inside an authenticated-by-cookie code path on one of the most widely deployed control panels in the world is a reminder of two structural facts about the hosting ecosystem:

  1. Control-panel software is the soft underbelly of the web. Cloud-native shops have moved to immutable infrastructure, ephemeral hosts, and short-lived credentials. The shared-hosting world has not. A rooted cPanel node still touches thousands of human-readable websites, mailboxes, and small-business databases.
  2. Auth bypasses via header parsing are quietly common. CVE-2026-41940 is at least the third high-severity auth-bypass-via-header-parsing bug to land in widely deployed server software in the last twelve months. The pattern — server trusts the parsed header, downstream code trusts the unparsed bytes — is a structural class of bug that mature platforms still produce.

If you operate at scale on cPanel, this is the moment to revisit your incident-response runbook. If you're a tenant, ask your hosting provider — in writing — when their cPanel/WHM nodes were patched and whether any compromise indicators were found. The 70-million-domain blast radius means the answer is not theoretical.

Sources

Sign up for more like this.

Enter your email
Subscribe