Critical CRLF Injection in cPanel WHM Allows Remote Authentication Bypass and Root Access
What Happened — A newly disclosed CVE‑2026‑41940 reveals a CRLF injection flaw in the cPanel/WHM cpsrvd daemon. By manipulating the whostmgrsession cookie or Authorization header, an unauthenticated attacker can inject arbitrary session parameters, forcing the system to issue a valid administrative session token and gain full root privileges on the host.
Why It Matters for TPRM —
- The vulnerability grants complete control over any cPanel‑managed server, exposing all hosted customer data and services.
- Exploits are publicly available, increasing the likelihood of opportunistic attacks against third‑party hosting providers.
- A compromised hosting environment can be leveraged for supply‑chain attacks against downstream clients.
Who Is Affected — Web‑hosting providers, SaaS platforms, MSPs, and any organization that outsources web services to cPanel/WHM environments (technology, finance, healthcare, retail, etc.).
Recommended Actions —
- Verify that all cPanel installations are patched to a version that addresses CVE‑2026‑41940.
- Enforce strict network segmentation for WHM interfaces and limit exposure to the internet.
- Review third‑party hosting contracts for security clauses covering timely patching and vulnerability disclosure.
Technical Notes — The flaw stems from improper neutralization of CRLF characters in session handling, allowing injection of user=root, hasroot=1, and tfa_verified=1 into the flat‑file session store. Exploit code leverages a crafted Authorization: Basic header with base64‑encoded payload. No CVE‑specific patches were listed at the time of disclosure; mitigation includes upgrading to the latest cPanel release and applying web‑application firewalls that block CRLF sequences. Source: Exploit Database – cPanel CRLF Injection (EDB‑52574)