The Internet Is Falling Down- CPanel/WHM Authentication Bypass CVE-2026-41940
5 hours ago
- #CVE-2026-41940
- #cPanel
- #Authentication Bypass
- CVE-2026-41940 is an authentication bypass vulnerability affecting all supported versions of cPanel & WHM due to flaws in session loading and saving.
- The vulnerability allows attackers to inject newline-separated key-value pairs into session files via a crafted HTTP Basic authentication header when the session cookie lacks an obfuscation key.
- Exploitation involves creating a preauth session, injecting malicious data to set flags like 'hasroot=1' and 'tfa_verified=1', and then triggering cache regeneration to promote these injections to top-level session keys.
- Successful exploitation bypasses password checks by leveraging injected timestamps (e.g., 'successful_internal_auth_with_timestamp'), granting unauthorized administrative access without valid credentials.
- watchTowr Labs provides a Detection Artifact Generator to help identify vulnerable systems, noting that in-the-wild exploitation has already been observed.