cPanel Critical Vulnerability CVE-2026-41940: Why Control Panels Are a Security Risk

On April 28, 2026, cPanel released an emergency patch for CVE-2026-41940 — a critical authentication bypass vulnerability with a CVSS score of 9.8 out of 10. Within 48 hours, CISA added it to their Known Exploited Vulnerabilities catalog, confirming attackers were already using it in the wild.

This isn't a theoretical risk. Hosting providers like KnownHost confirmed active exploitation before the patch even existed. Namecheap temporarily blocked cPanel management ports entirely. With approximately 1.5 million cPanel instances exposed online and the software managing an estimated 70 million domains worldwide, this is one of the most significant hosting security incidents in recent years.

Here's what happened, who's affected, and what it means for how you host your websites.

What Is CVE-2026-41940?

The vulnerability is a CRLF (Carriage Return Line Feed) injection in cPanel's session handling. An attacker can craft a malicious HTTP request that injects arbitrary data into session files, bypassing password verification entirely.

The attack works like this:

1. Trigger a session — The attacker sends a failed login request to create a pre-authentication session file on the server.
2. Inject session data — A specially crafted HTTP Basic Authentication header containing newline characters bypasses input sanitization. The password field only strips null bytes, allowing \r\n characters through.
3. Poison the cache — A follow-up request forces cPanel to re-parse the session file. The injected newlines create new key-value pairs that the system treats as legitimate session properties.
4. Bypass authentication — The injected session data includes flags that tell cPanel the user has already authenticated, skipping the actual password check against /etc/shadow.

The result: full root-level access to the server's control panel without knowing any credentials.

Every Supported Version Was Vulnerable

This wasn't limited to old or unpatched installations. Every currently supported version of cPanel & WHM was affected:

• cPanel & WHM 110.x through 11.110.0.96
• cPanel & WHM 118.x through 11.118.0.61
• cPanel & WHM 126.x through 11.126.0.53
• cPanel & WHM 132.x through 11.132.0.27
• cPanel & WHM 134.x through 11.134.0.19
• cPanel & WHM 136.x through 11.136.0.4

If you're on shared hosting with a cPanel-based provider, your server was likely vulnerable — even if the hosting company applied the patch quickly.

Who Is Affected?

cPanel is the backbone of the shared hosting industry. Major providers that use or have used cPanel include GoDaddy, Hostinger, SiteGround, Namecheap, A2 Hosting, and thousands of smaller hosts. The software manages everything from DNS records to email accounts to file permissions.

When a vulnerability gives attackers root access to the control panel, they don't just compromise one website. They compromise every website on that server — often hundreds of sites sharing the same machine on a shared hosting plan.

This is the fundamental problem with shared hosting control panels: they're a single point of failure for massive numbers of websites.

The Shared Hosting Security Problem

CVE-2026-41940 isn't an isolated incident. Control panels like cPanel are attractive targets because:

• High value, single target — One exploit gives access to hundreds of websites on a single server.
• Always internet-facing — Control panel management ports (2083, 2087) must be accessible for the product to work.
• Complex attack surface — cPanel is a massive codebase handling authentication, file management, email, DNS, databases, and more. Each component is a potential entry point.
• Shared resource model — On shared hosting, all tenants run on the same OS. A root-level compromise affects everyone.
• Slow patch adoption — Many hosting providers don't apply patches immediately, leaving a window of exposure.

This vulnerability was exploited as a zero-day before any patch existed. Hosting providers couldn't protect their customers even if they wanted to — they had to wait for cPanel to release a fix.

VPS Hosting: Why Isolation Matters

The alternative to shared hosting with a control panel dependency is VPS (Virtual Private Server) hosting, where each customer gets their own isolated environment.

Here's how VPS hosting avoids the problems exposed by CVE-2026-41940:

No Shared Control Panel

On a VPS, there's no cPanel sitting on ports 2083/2087 waiting to be exploited. Your server management happens through SSH, APIs, or your hosting provider's dashboard — none of which share authentication with other customers' servers.

Container Isolation

Modern VPS platforms use container isolation. Each application runs in its own container with its own filesystem, process namespace, and network stack. Even if one container is compromised, the attacker can't reach other containers on the same host.

Smaller Attack Surface

A VPS doesn't need to run a web-based control panel with thousands of features. The fewer services running on your server, the fewer potential vulnerabilities.

Direct Control

With SSH access and Git-based deployments, you control exactly what runs on your server. You're not dependent on a third-party control panel vendor to patch critical vulnerabilities before your server gets compromised.

What to Do If You Use cPanel Hosting

If your website is currently on cPanel-based shared hosting, here are immediate steps:

1. Check with your host — Ask whether they've applied the April 28 emergency patch for CVE-2026-41940. If they can't confirm, consider your server potentially compromised.
2. Review access logs — Look for unusual login activity or new cPanel accounts you didn't create.
3. Change all passwords — cPanel password, FTP, email, database passwords. If an attacker gained root access, all credentials should be considered exposed.
4. Check for backdoors — Root access means attackers could have installed persistent backdoors, cron jobs, or modified system files.
5. Consider migration — If you're running business-critical applications on shared cPanel hosting, this is a strong signal to evaluate VPS alternatives where you have more control over your security posture.

How DeployBase Handles Security Differently

DeployBase uses a container-based architecture instead of traditional shared hosting with control panels:

• Docker container isolation — Each application runs in its own container with dedicated resources. No shared PHP processes, no shared file systems.
• No cPanel dependency — Server management through our API and dashboard, with SSH access for direct control. No third-party control panel attack surface.
• Automatic SSL — Free Let's Encrypt certificates provisioned and renewed automatically. No control panel needed.
• SSH + Git deployments — Deploy via Git push or SSH. No FTP, no file manager web interfaces to exploit.
• Per-application firewalls — Network policies are scoped to individual containers, not shared across all sites on a server.
• Automatic security headers — HSTS, X-Content-Type-Options, and Referrer-Policy applied at the platform level.

The fundamental difference: your application's security doesn't depend on a control panel that manages 70 million other domains. Your container is yours.

The Bigger Picture

CVE-2026-41940 is a reminder that the security of your website isn't just about your code — it's about your entire hosting infrastructure. Shared hosting with control panel dependencies creates risk that no amount of application-level security can mitigate.

When a single vulnerability in a control panel can compromise millions of websites simultaneously, the architecture itself is the problem. Container isolation, minimal attack surfaces, and direct SSH access aren't just conveniences — they're security fundamentals.

If you're evaluating your hosting setup after this incident, consider what happens when the next critical CVE drops. Will you be waiting for a third-party vendor to patch a control panel before your server is safe? Or will you have direct control over an isolated environment where the blast radius of any single vulnerability is limited to one container?

May 4 Update: Sorry Ransomware Campaign Hits 44,000 Servers

Update: The situation has escalated dramatically. A ransomware campaign dubbed Sorry is now mass-exploiting CVE-2026-41940 across the internet.

According to Shadowserver, at least 44,000 IP addresses running cPanel have been compromised. DFIR teams report 15,000 new infections in a single day. The CISA remediation deadline passed on May 3 — yet 1.5 million exposed cPanel instances remain online.

How the Sorry Ransomware Works

After exploiting the authentication bypass to gain root access, attackers deploy a multi-stage payload:

1. Persistence first — SSH keys injected into /root/.ssh/authorized_keys, a hidden SUID binary placed at /usr/bin/.system_cache, and cron job C2 beacons added to /etc/cron.daily/. Even if the cPanel patch is applied, the backdoors survive.
2. Encryption — A Go-based Linux encryptor encrypts all web directories, databases, and customer files. Encrypted files get the .sorry extension (e.g., index.php.sorry).
3. Ransom note — A README.md is dropped in every affected directory directing victims to contact the attacker via TOX messaging.

Because cPanel manages entire shared hosting servers, a single compromised instance encrypts every website on that server — often dozens or hundreds of sites, databases, and customer portals simultaneously.

What This Means

This is no longer a vulnerability advisory — it is an active crisis affecting tens of thousands of servers. If you are on shared hosting powered by cPanel and your provider has not confirmed they patched before May 1, assume compromise is possible. Check for the persistence indicators listed above (SSH keys, hidden binaries, cron jobs) and consider migrating to isolated hosting immediately.

The Sorry campaign is a textbook demonstration of why architectural decisions in hosting matter. When one control panel breach can encrypt hundreds of websites at once, the shared hosting model itself becomes the vulnerability.

May 6 Update: Targeted Government and MSP Attacks

Update: CVE-2026-41940 has escalated from mass ransomware campaigns to targeted attacks on government, military, and managed service provider (MSP) networks.

Security researchers at Ctrl-Alt-Intel identified a targeted campaign launched on May 2, 2026, exploiting publicly available proof-of-concept code from GitHub. Unlike the opportunistic "Sorry" ransomware attacks, this campaign shows hallmarks of an advanced threat actor with specific objectives.

Who Is Being Targeted

Attacks originating from IP 95.111.250[.]175 specifically targeted:

• Government and military domains â Philippines (*.mil.ph, *.gov.ph) and Laos (*.gov.la)
• Managed service providers (MSPs) â Hosting companies in the Philippines, Laos, Canada, South Africa, and the United States

The MSP targeting is particularly concerning. When an MSP is compromised, the attacker gains access to every client network the MSP manages â often dozens or hundreds of businesses that trust the MSP with their infrastructure.

Sophisticated Persistence Mechanisms

This threat actor deployed the AdaptixC2 command-and-control framework alongside OpenVPN and Ligolo for persistent access to internal victim networks. Security researchers observed the same actor previously exploiting an Indonesian defense training portal using hard-coded credentials and CAPTCHA bypass techniques, then exfiltrating Chinese railway-sector documents.

This is not ransomware. This is espionage-grade infrastructure compromise using a publicly disclosed control panel vulnerability.

Three Stages of CVE-2026-41940 Exploitation

The evolution of this vulnerability in the wild demonstrates why control panel security matters:

1. April 28: cPanel releases emergency patch for authentication bypass (CVSS 9.8). Exploitation attempts observed before patch release.
2. Early May: "Sorry" ransomware campaign exploits 44,000+ servers in mass attacks. Automated, opportunistic, financially motivated.
3. May 2-6: Targeted government, military, and MSP attacks. Deliberate, persistent, espionage-focused.

The vulnerability went from zero-day to ransomware to nation-state-grade exploitation in less than two weeks.

The MSP Supply Chain Problem

If you are a small business using an MSP for hosting or IT management, consider this: your security is only as strong as your MSP security. If the MSP runs cPanel on their infrastructure management servers, every client they manage is exposed.

A single compromised cPanel instance at an MSP can provide:

• Access to client websites and databases
• Control over DNS records for hundreds of domains
• Email server access across all client accounts
• SSH credentials and root access to client VPS instances
• Billing and customer data

This is not theoretical. It is happening right now, in Southeast Asia and North America, targeting hosting providers that manage infrastructure for businesses like yours.

What This Means

CVE-2026-41940 is no longer just a hosting security issue. It is an active attack vector for threat actors targeting critical infrastructure and supply chains.

If your hosting still depends on cPanel â whether you manage it yourself or your MSP does â you are in the blast radius of an actively exploited, high-severity vulnerability that has progressed from ransomware to government-targeted espionage attacks.

The architectural argument we made in the original article stands: control panels managing hundreds of domains on shared infrastructure are an unacceptable security model. Not just for performance or cost reasons â for national security and supply chain integrity.

When small businesses, government agencies, and MSPs all share the same attack surface, everyone loses.