Technical Tip: FortiWeb customers protected against CVE-2026-41940 (cPanel & WebHost Manager WHM)

Description

This article describes CVE-2026-41940, a critical authentication bypass vulnerability affecting cPanel & WebHost Manager (WHM), and the FortiWeb signature released to provide detection and blocking coverage against active exploitation attempts targeting this vulnerability.

Scope

FortiWeb Web Application Firewall (WAF).

Solution

CVE-2026-41940 Overview.

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WebHost Manager (WHM), one of the most widely deployed web hosting control panels globally.

The vulnerability affects multiple cPanel versions prior to the following patched releases: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5.

The flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized access to the control panel. The issue relates to improper handling in the authentication and session management flow, enabling attackers to forge privileged sessions without valid credentials.

Impact.

Successful exploitation can result in full administrative compromise of cPanel and WHM environments.

Since WHM manages hosting servers and multiple customer accounts, exploitation may allow attackers to perform the following actions:

•       Gain administrative access to the hosting control plane.

•       Access or modify hosted websites and databases.

•       Steal sensitive customer or server data.

•       Deploy malware or ransomware.

•       Disrupt or completely take over affected servers.

Because cPanel is widely used by hosting providers, managed service providers, and enterprise environments, the attack surface is broad. Security researchers and government advisories confirm that active exploitation has already been observed in the wild.

CVSS Score and Severity.

CVE-2026-41940 has been assigned a CVSS score of 9.8 (Critical), reflecting the severity of this vulnerability.

The following factors contribute to this rating:

•       Network is exploitable. The vulnerability is remotely accessible without requiring local or adjacent network access.

•       No authentication required. Attackers do not need valid credentials to exploit the vulnerability.

•       Low attack complexity. No special conditions are needed for exploitation.

•       No user interaction required. Exploitation does not depend on any action from a legitimate user.

•       High impact on confidentiality, integrity, and availability. Successful exploitation results in complete compromise of the affected system.

The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming exploitation in real-world attacks.

Recommended Mitigation Steps.

Organizations using cPanel & WHM should immediately upgrade to the patched versions released by cPanel.

Recommended actions include:

•       Upgrade cPanel & WHM to one of the following patched versions or later: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5.

•       Restrict administrative interface exposure to trusted IP addresses.

•       Monitor authentication and session logs for suspicious access patterns.

•       Rotate privileged credentials after patching.

•       Review systems for signs of compromise if running vulnerable versions.

Given the critical nature of this issue and confirmed active exploitation, delayed patching significantly increases organizational risk.

FortiWeb Protection.

To protect against exploitation attempts targeting CVE-2026-41940, FortiWeb released a dedicated signature on May 2, 2026, providing detection and blocking coverage.

FortiWeb's Web Application Firewall (WAF) helps mitigate attacks associated with this vulnerability by:

•       Detecting maliciously crafted requests targeting cPanel login flows.

•       Blocking exploit patterns associated with CVE-2026-41940.

•       Providing virtual patching while organizations validate and deploy official vendor fixes.

This additional protection layer helps reduce exposure during emergency patching windows and strengthens defense-in-depth for internet-facing hosting infrastructure.

Related documents: 

CVE-2026-41940 - NVD

Vulnerability Affecting cPanel & WHM - Canadian Centre for Cyber Security