Security researchers and CISA have issued an urgent warning regarding a critical authentication-bypass vulnerability in cPanel and WebHost Manager that allows attackers to gain unauthorized administrative server access.

Key Points

• The vulnerability, tracked as CVE-2026-41940, enables attackers to bypass credentials and take full control of servers and hosted websites.
• CISA added the flaw to its Known Exploited Vulnerabilities catalog following evidence of active, real-world exploitation since late February 2026.
• cPanel released security patches on April 28, 2026, for all supported versions after 11.40, including DNSOnly and WP Squared.
• Major hosting providers, including Namecheap, HostGator, and KnownHost, temporarily restricted interface access to implement emergency security updates.
• The bug affects over one million websites globally, including those belonging to financial institutions and healthcare organizations.

Why it Matters

This vulnerability poses a significant threat to global web infrastructure because it grants attackers administrative control over a vast number of hosted sites simultaneously. Organizations and individual users must ensure their hosting providers have applied the latest patches to prevent potential data theft and unauthorized server manipulation.