The U.S. Cybersecurity and Infrastructure Security Agency has added a critical authentication bypass vulnerability in cPanel and WHM to its Known Exploited Vulnerabilities catalog, mandating immediate federal remediation.

Key Points

• CISA added CVE-2026-41940, which carries a high CVSS score of 9.3, to its Known Exploited Vulnerabilities (KEV) catalog.
• The flaw allows remote attackers to bypass authentication in cPanel and WHM versions 11.40 and later, potentially granting full server control.
• Security firm watchTowr disclosed the vulnerability and released a detection tool to help administrators identify compromised or exposed instances.
• The Shadowserver Foundation estimates that thousands of cPanel instances remain exposed to potential exploitation.
• Federal Civilian Executive Branch agencies are required to patch the vulnerability by the May 3, 2026, deadline.
• Hosting providers like Namecheap have implemented temporary access restrictions to mitigate risks while users apply necessary security updates.

Why it Matters

This vulnerability poses a significant threat to web hosting infrastructure because it allows unauthorized actors to gain administrative control over servers and sensitive data. Organizations must prioritize patching to prevent widespread exploitation, as the flaw is already being actively targeted in the wild.