On April 28, cPanel disclosed CVE-2026-41940 — a CVSS 9.8 authentication bypass in cPanel & WHM caused by a Carriage Return Line Feed (CRLF) injection in the login and session-loading code. Rapid7's Shodan scan put the exposed population at roughly 1.5 million instances. CISA added it to the Known Exploited Vulnerabilities catalog, KnownHost confirmed in-the-wild exploitation, and watchTowr published a working proof of concept. There is reasonable speculation that the bug was being used as a zero-day from at least February 23, 2026 — over two months before the patch.
This is the kind of vulnerability that should be on the desk of every web team, because it manages to fail every layer of the OWASP fundamentals at the same time.
How the bug works
Before authentication completes, cpsrvd writes a small "pre-auth" session file to disk to track things like the login attempt and CSRF nonces. The bug is in how that file is later re-parsed: it is treated as line-delimited key=value entries, and the writer never sanitizes user-supplied input for line breaks. An unauthenticated attacker injects a payload containing CRLF sequences (\r\n) followed by additional key=value pairs. When cpsrvd re-reads the file post-injection, those injected lines become top-level session entries — including user=root, hasroot=1, tfa_verified=1, a chosen cp_security_token, and a fresh successful_internal_auth_with_timestamp. The result: a fully authenticated root session, password and 2FA both bypassed.
Where the CIA triad failed
Confidentiality: a fully privileged session reveals every customer's database credentials, mail spool, and SSL key. Integrity: with hasroot=1 the attacker can rewrite cron jobs, deface every hosted site, or plant a persistent backdoor in the cPanel update path. Availability: with one command the attacker can lock out other administrators, encrypt customer data, or simply turn the box off.
The single root cause, though, is layer one of OWASP's "Input Validation" cheat sheet: data crossing a trust boundary was written into a structured file without escaping the structural delimiter. CRLF injection is one of the oldest classes of web bug. It killed log integrity in the early 2000s, killed HTTP response splitting in the mid-2000s, and now in 2026 it has come back to kill session storage.
What every web / PHP team should audit tonight
First, search your code for every place where you write user-supplied strings into a config-style file, log file, or session record. If the format is line-delimited (whether INI, env, or your own scheme), you must reject or escape \r and \n before the write. Static analyzers will not catch this for you reliably; it requires a pattern-based grep.
Second, check that authentication state is not derived from a file that an unauthenticated request just wrote to. Pre-auth session files should be a mailbox, not a control plane.
Third, verify your hosting stack is patched. cPanel released remediated builds, and the documented workaround is to block ports 2083, 2087, 2095, and 2096 at the firewall while patching.
A word on the third-party angle
CIA does not stop at your code. cPanel is a closed-source third-party dependency that 1.5 million sites trust with root. If you do not know which version of cPanel your hosting partner is running, you do not know whether your site is compromised right now. Every modern security review should include a "what privileged third-party agents could end us if compromised?" question, and this CVE is a clean case study.
My Take
The most uncomfortable thing about CVE-2026-41940 is that the underlying bug — write user input into a delimiter-sensitive format without escaping the delimiter — is in every junior dev textbook, has been since 2004, and still ate 1.5 million servers. AI-assisted code review would have caught this in the same way Snyk would have caught it in the same way a careful human would have. The lesson is not "buy a new tool"; the lesson is "the OWASP fundamentals are still the rate-limiting step." Pick one input boundary in your codebase this week and prove, line by line, that no structural delimiter from the outside can reach a structured file. That is the work.
Sources
- Rapid7 — CVE-2026-41940: cPanel & WHM Authentication Bypass
- CyberScoop — cPanel authentication bypass exploited in the wild
- watchTowr Labs — The Internet Is Falling Down (CVE-2026-41940)
- Help Net Security — cPanel zero-day exploited for months before patch
- NVD — CVE-2026-41940 Detail
- Picus Security — CVE-2026-41940 Explained: 1.5M Servers