Post

The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026)

Posted
By ictsec.pl
2 min read
The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026)

The Internet Is Falling Down, Falling Down, Falling Down 🚨

Source: Watchtowr Labs
Date Published: May 1, 2026

cPanel and WHM is the control panel solution that runs, depending on who you ask, somewhere north of 70 million domains. WHM is the administrative interface - root-level access to the server, SSL certificates, security protocols, the lot - and cPanel is the user-facing panel for individual hosting accounts. Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom.

According to cPanel, this vulnerability affects - and we cannot stress this enough - all currently supported versions of cPanel & WHM. What we do know, though, is that this is a vulnerability affecting “session loading and saving” - or in plainer non-cPanelican English, an “Authentication Bypass”. KnownHost confirmed in-the-wild exploitation has been ongoing and that this vulnerability was used as a zero-day against the management plane of a significant part of the Internet.

Recommended Actions 🔧

cPanel recommends upgrading to the following patched versions:

  • cPanel & WHM 110.0.x patched in 11.110.0.97 (was 11.110.0.96)
  • cPanel & WHM 118.0.x patched in 11.118.0.63 (was 11.118.0.61)
  • cPanel & WHM 126.0.x patched in 11.126.0.54 (was 11.126.0.53)
  • cPanel & WHM 132.0.x patched in 11.132.0.29 (was 11.132.0.27)
  • cPanel & WHM 134.0.x patched in 11.134.0.20 (was 11.134.0.19)
  • cPanel & WHM 136.0.x patched in 11.136.0.5 (was 11.136.0.4)

For avoidance of doubt, our review focused on cPanel & WHM 11.110.0.97 (patched) and cPanel & WHM 11.110.0.96 (unpatched).

Technical Details 🔍

We identified 3 modified files of interest:

  • Cpanel/Session.pm (saver)
  • Cpanel/Session/Load.pm (loader)
  • Cpanel/Session/Encoder.pm (new hex round-trip primitives)

Specifically, the changes to the function saveSession in Session.pm caught our eye. Actual code changes introduce a call to filter_sessiondata and new logic for encoding the ‘pass’ field. The filter_sessiondata function has a simple task: sanitize carriage returns, newlines, equals signs, and commas from existing in any input/fields that are passed. For example, if a caller of this function provides the value pass = foo\nhasroot=1, filter_sessiondata will do its thing and massacre any value into becoming pass = foohasroot=1. The patch moves the filter_sessiondata call inside saveSession itself, rather than relying on every caller to remember it.

The creation of session files can be triggered by a maliciously intended login attempt, such as a POST request to /login/ with user=root&pass=wrong. cPanel (cpsrvd) then mints a “preauth” session and writes it to disk. An example on-disk file, such as /var/cpanel/sessions/raw/:Wg_mjzgt1hyfXefK, looks like this: local_ip_address=172.17.0.2 external_validation_token=.

To read the complete article see: Read full article

SECURITY
CPANEL WHM AUTHENTICATION BYPASS VULNERABILITY
This post is licensed under CC BY 4.0 by the author.