CVE-2026-41940: Full Technical Details and InMotion’s Response

CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel and WHM with a Critical severity rating. Now that patches are deployed and access has been restored across InMotion Hosting’s server fleet, this article provides the full technical picture: how the exploit works, what InMotion did to protect your environment, and what you should do now. For our initial incident notification, see the original advisory from April 28th.

What Happened with CVE-2026-41940

CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel and WHM. It carries a Common Vulnerability Scoring System (CVSS) score of 9.8, the highest severity rating before a perfect 10. An attacker with network access to a cPanel server needed no credentials whatsoever to gain root-level control.

The vulnerability chains three separate flaws. First, the Basic-auth handler fails to sanitize Carriage Return Line Feed (CRLF) characters, letting an attacker inject arbitrary header values. Second, a truncated cookie disables the session’s encryption layer. Third, the session cache re-parses the injected values, elevating the attacker’s unauthenticated session to an authenticated one. The result is full server access: websites, databases, email accounts, everything.

Important: Two-factor authentication (2FA) does not protect against this exploit. The attack sets tfa_verified=1 directly in the session before any 2FA prompt is reached. Blocking the affected ports was the only reliable mitigation before the patch.

The vulnerability affects all cPanel and WHM versions released after 11.40, including all supported versions and many end-of-life releases. According to Shodan data, approximately 1.5 million internet-exposed cPanel instances were at risk. Security researcher Sina Kheirkhah at watchTowr Labs discovered and analyzed the flaw. Security researchers reported evidence of exploitation as early as late February 2026, roughly two months before cPanel released a patch on April 28, 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on April 30, 2026, with a remediation deadline for federal agencies under Binding Operational Directive 22-01.

This was not an InMotion Hosting-specific issue. Almost all web hosts, including Namecheap, KnownHost, HostPapa, and Hosting.com, all faced the same exposure and took similar emergency action simultaneously.

How We Responded

When the vulnerability became public on April 28, 2026, InMotion Hosting moved immediately on two parallel tracks: block access to the affected ports, and push patches to every server that could accept them.

The affected ports are 2082 and 2083 (cPanel), 2086 and 2087 (WHM), 2095 and 2096 (Webmail), and 2077 and 2078 (WebDisk). Closing these ports eliminated the attack surface at the network layer while the team worked through updates. Websites, applications, databases, and email continued operating normally throughout because those services run on standard ports that were never touched. Your Account Management Panel (AMP) was also unaffected.

Patching at the scale of our infrastructure required iterating on automated scripts to push the update to every eligible server. The team worked through the server fleet methodically, restoring port access after each server was confirmed patched. The patched cPanel and WHM versions are 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5.

For servers that could not receive the update (due to version pinning or end-of-life cPanel releases), the ports remained blocked. InMotion Hosting cannot guarantee those servers are fully protected, and the team is reaching out directly to customers whose environments may have been affected.

What You Should Do Now

For most InMotion Hosting customers on Shared, WordPress, or Managed VPS plans, patching was handled automatically. To confirm your server is on a patched version, run the following command via Secure Shell (SSH):

/usr/local/cpanel/cpanel -V

The output should match one of the patched versions listed above. If it does not, run the forced update command:

/scripts/upcp --force

After the update completes, restart the cPanel service to make sure the patched code is active:

/scripts/restartsrv_cpsrvd --hard

Note: If your server runs CentOS 6 or CloudLinux 6 on cPanel version 110.0.50, cPanel has released version 110.0.103 specifically for that tier. Set the upgrade tier first, then run the update:

whmapi1 set_tier tier=11.110.0.103
/scripts/upcp --force

Beyond verifying the patch, take these steps:

• Rotate credentials. Change your cPanel, WHM, and database passwords. If any credentials were stored in files accessible through your web root, treat them as compromised.
• Review your access logs. Look for unexpected logins or file changes in cPanel’s Last Login record and your server’s /var/log/ directory. Unusual activity before April 28, 2026, is worth investigating.
• Check for unauthorized accounts. In WHM, review the account list for any accounts you did not create. In cPanel, review FTP accounts, email accounts, and SSH keys under Security.
• Contact support if you received an outreach from InMotion. If InMotion’s team reached out to you about a possible compromise, respond promptly. The team can help you assess the scope and next steps.
• Run cPanel’s detection script. cPanel has published an indicator-of-compromise (IOC) detection script that scans session files for signs of exploitation. The script is available in cPanel’s official advisory. Save the script to your server, run it with /bin/bash ./ioc_checksessions_files.sh, and review the output. CRITICAL or WARNING findings indicate compromise and require immediate action: purge affected sessions, force-reset all passwords, and audit for persistence mechanisms such as cron jobs, SSH keys, and WHM hooks.

Note: If your server runs an end-of-life cPanel version that did not receive the patch, upgrading to a supported cPanel release is the only path to full remediation. Contact our Technical Support team to discuss your upgrade options.

Additional Resources

For cPanel’s official technical advisory, see the cPanel & WHM Security Update 04/28/2026. For our initial incident notification and the patched version list, see the original advisory on our Support Center. If you have questions about your specific environment, our Technical Support is available 24 hours a day, 7 days a week.