70 million domains had a no-password root bypass. cPanel rushed an emergency patch.

cPanel shipped an emergency patch on April 28 for CVE-2026-41940. The auth bypass walks attackers into shared-hosting control panels with no password. WatchTowr Labs puts the affected install base “somewhere north of 70 million domains,” and KnownHost says exploitation was already happening in the wild before the patch landed.

The reason this matters more than the average CVE-of-the-week: cPanel sits under most of the budget shared-hosting market and a non-trivial slice of small-to-mid managed hosting. A single working WHM exploit promotes the attacker to root on a server that hosts every database, mail account, and FTP credential for every customer on the box. Resellers carry hundreds of customers per server. The blast radius is per-host, not per-site.

What we know

The bug chains two primitives. Attackers send a Basic-auth request whose password field carries newline characters, which inject arbitrary fields straight into the cPanel session file via a CRLF injection in the encoder. They then trigger the token-denied path so the session cache rebuilds from raw disk, promoting injected fields like successful_internal_auth_with_timestamp to top-level keys. cPanel’s session validator checks for the timestamp before consulting /etc/shadow, so the password never gets compared.

• Severity. CVSS 9.8, per BleepingComputer’s writeup of the cPanel security bulletin.
• Affected. All currently supported tracks: 11.110.0.96, 11.118.0.61, 11.126.0.53, 11.132.0.27, 11.134.0.19, 11.136.0.4. Both the cPanel website-level interface and the WHM server-level interface authenticate through the same primitive.
• Fixed. 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5. Force the upgrade with /scripts/upcp --force if your auto-update window hasn’t fired.
• Pre-auth. No credentials are needed. The attacker crafts a malicious Basic header and a tweaked session cookie, that’s the whole prerequisite.
• Exploited. WatchTowr’s headline tagline puts the urgency plainly: “When exploitation happens in hours, watchTowr delivers what no one else can: time to respond.” Namecheap, which serves a chunk of cPanel’s customer base, described it as “an authentication login exploit” and started blocking external port access pre-emptively.

A successful exploit hands the attacker the same authority as the panel’s account holder. On WHM, that’s root on the server. On cPanel, it’s full control of every site, database, mail account, and FTP credential the user owns.

What we don’t know

cPanel’s bulletin, quoted by BleepingComputer, stated only that “a critical security vulnerability has been identified in cPanel software affecting all currently supported versions.” That phrasing leaves three open questions on April 30, 2026.

• The exact discovery date. WatchTowr published its disclosure on April 29, one day after cPanel’s April 28 fix. cPanel’s own bulletin doesn’t credit a finder publicly, and the company has not said when the bug entered the codebase.
• How many of the 70 million domains are still on the vulnerable build. The figure WatchTowr cites is install-base scale, not unpatched count. Auto-updates pull most servers forward within hours, but managed hosting fleets often stage upgrades over days.
• Whether the in-the-wild exploitation KnownHost flagged is mass scanning or targeted. WatchTowr’s wording suggests scanning began the moment the diff between vulnerable binaries (e.g. 11.136.0.4) and patched binaries (11.136.0.5) became public.

Source attribution

The technical breakdown comes from watchTowr Labs, the firm that published the disclosure. Patch metadata, severity, and customer reaction are sourced from BleepingComputer’s reporting on the cPanel bulletin and Namecheap’s customer notice. cPanel’s own statement, quoted by both outlets, says only that “a critical security vulnerability has been identified in cPanel software affecting all currently supported versions.”

What this means for you

If you run a server with cPanel or WHM, force the upgrade today. /scripts/upcp --force runs the update channel synchronously and won’t wait for the staged window. Check the running version with whmapi1 version afterward. Anything below the fix list above stays exposed to a one-shot pre-auth takeover.

If you don’t run cPanel directly but your site lives on a shared host, ask the provider whether the panel was patched and when. Most large hosts moved within hours; smaller resellers are the ones to chase. The blast radius matters because a single compromised WHM gives an attacker root on every site that shares the box.

And rotate. API tokens, mail passwords, FTP credentials, anything the panel had visibility into. The exploit doesn’t need to drop a backdoor to grab them, the panel hands them over by design once the session is forged. Patching closes the door; rotation locks the locks.