WHMCS Security Advisory: CVE-2026-29204 Requires Immediate Update

DerrellDerrell 3 Minute Read

WHMCS CVE-2026-29204 is an authorization vulnerability affecting all WHMCS 8.x installations prior to 8.13.3 and all 9.x installations prior to 9.0.4. WHMCS published the advisory on May 12, 2026. If you run WHMCS on an InMotion Hosting Reseller, VPS, or Dedicated server, you must update your installation yourself. InMotion Hosting cannot apply this patch on your behalf.

WHMCS CVE-2026-29204: What Happened

WHMCS is a billing and client management platform used by web hosting businesses. The vulnerability involves insufficient authorization checks within the WHMCS Client Area. According to the WHMCS security advisory, an authenticated user could exploit this flaw to perform actions in another user’s account context, including accessing services that the user does not own.

Exploitation requires a valid, authenticated session. WHMCS did not publish a CVSS score in the advisory. Technical details beyond the vulnerability class have been withheld. This is standard practice for WHMCS security disclosures.

Affected versions

  • All WHMCS 9.x builds prior to 9.0.4
  • All WHMCS 8.x builds prior to 8.13.3
  • All WHMCS 7.x builds after 7.4.0

Fixed versions

  • WHMCS 9.0.4 (recommended for 9.x users)
  • WHMCS 8.13.3 (recommended for 8.x users)

Note: No patch has been issued for WHMCS 7.x. If you are running any WHMCS 7.x build after 7.4.0, you are affected and must upgrade to 8.13.3 or 9.0.4 to receive a fix. A 7.x-to-8.x or 7.x-to-9.x upgrade is a major version change, so review the WHMCS upgrade documentation before proceeding.

WHMCS Cloud customers have already been automatically patched and do not need to take any action. All other installations require a manual update.

What InMotion Hosting Has Done

InMotion Hosting detected this advisory on May 12, 2026, and is notifying customers who run WHMCS on Reseller, VPS, and Dedicated hosting plans. We manage the underlying server infrastructure, but WHMCS is software you install and manage independently; we cannot apply this security patch for you.

What You Should Do

Warning: Do not delay this update. The vulnerability allows an authenticated user to access another user’s account and services. If your WHMCS installation serves clients, their account security depends on you applying this patch.

Check your WHMCS version

Log in to your WHMCS admin area and go to Utilities > Update WHMCS. This screen shows your currently installed version alongside the latest available release. If the installed version is lower than 8.13.3 (for the 8.x series) or 9.0.4 (for the 9.x series), your installation is vulnerable and must be updated. WHMCS also displays a banner at the top of the admin dashboard when a new release is available.

Back up before you update

Before updating, take a full backup of your WHMCS files and database. Our The Complete Guide to cPanel Backups guide walks through backing up both files and databases through cPanel. WHMCS updates can encounter issues with customized templates or third-party modules, and a backup lets you restore quickly if something goes wrong.

To update, log in to your WHMCS admin area and go to Utilities > Update WHMCS to run the built-in Auto-Updater. The Auto-Updater downloads and applies the patch from within the admin interface. For the full procedure, see the WHMCS Auto-Updater documentation. If you prefer to replace files manually, see the WHMCS manual update guide.

If you installed WHMCS through Softaculous, log in to cPanel, open Softaculous Apps Installer, find your WHMCS installation under your installed applications, and use the update option to upgrade to the latest version. For a walkthrough of installing WHMCS through Softaculous, see How to Install WHMCS Using Softaculous.

After updating, review your WHMCS Activity Log for any unexpected access or service activity from mismatched user accounts. This can help you identify whether any unauthorized access occurred before the patch was applied. To log in to your WHMCS admin area, see How to Log In to Your WHMCS Admin Dashboard.

Where to Get Help

If you encounter server-level issues during the update, such as file permission errors or PHP compatibility problems, our Technical Support can assist.

For the full details of this vulnerability, see the official WHMCS CVE-2026-29204 security advisory.

Share this Article
Derrell Willis
Derrell Willis Manager, Developer Relations

More Articles by Derrell
Related Articles

Need More Help?

Current Customers

Get Support: Log into AMP
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.