HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical CRLF Injection in cPanel WHM Allows Remote Authentication Bypass and Root Access

A newly disclosed CVE‑2026‑41940 lets attackers inject malicious session data into cPanel/WHM, bypassing authentication and gaining root privileges. Any organization relying on cPanel‑hosted services faces immediate risk, making rapid patching and contract review essential for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 27, 2026· 📰 exploit-db.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
exploit-db.com

Critical CRLF Injection in cPanel WHM Allows Remote Authentication Bypass and Root Access

What Happened — A newly disclosed CVE‑2026‑41940 reveals a CRLF injection flaw in the cPanel/WHM cpsrvd daemon. By manipulating the whostmgrsession cookie or Authorization header, an unauthenticated attacker can inject arbitrary session parameters, forcing the system to issue a valid administrative session token and gain full root privileges on the host.

Why It Matters for TPRM

  • The vulnerability grants complete control over any cPanel‑managed server, exposing all hosted customer data and services.
  • Exploits are publicly available, increasing the likelihood of opportunistic attacks against third‑party hosting providers.
  • A compromised hosting environment can be leveraged for supply‑chain attacks against downstream clients.

Who Is Affected — Web‑hosting providers, SaaS platforms, MSPs, and any organization that outsources web services to cPanel/WHM environments (technology, finance, healthcare, retail, etc.).

Recommended Actions

  • Verify that all cPanel installations are patched to a version that addresses CVE‑2026‑41940.
  • Enforce strict network segmentation for WHM interfaces and limit exposure to the internet.
  • Review third‑party hosting contracts for security clauses covering timely patching and vulnerability disclosure.

Technical Notes — The flaw stems from improper neutralization of CRLF characters in session handling, allowing injection of user=root, hasroot=1, and tfa_verified=1 into the flat‑file session store. Exploit code leverages a crafted Authorization: Basic header with base64‑encoded payload. No CVE‑specific patches were listed at the time of disclosure; mitigation includes upgrading to the latest cPanel release and applying web‑application firewalls that block CRLF sequences. Source: Exploit Database – cPanel CRLF Injection (EDB‑52574)

📰 Original Source
https://www.exploit-db.com/exploits/52574

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →