A severe authentication bypass vulnerability in cPanel, one of the most widely deployed web hosting control panel platforms on the internet, is being actively exploited in the wild, according to security researchers and hosting providers.The vulnerability, tracked as CVE-2026-41940, affects all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, as well as WP Squared, a WordPress hosting management panel built on the cPanel platform. Internet scans conducted by security firm Rapid7 using the Shodan search engine identified approximately 1.5 million cPanel instances exposed online, though the precise number of vulnerable systems remains unknown.cPanel released a patch Tuesday. By that point, exploitation had already been underway. KnownHost, a hosting provider that relies on cPanel, said earlier this week that successful exploits had been observed in the wild prior to any fix being made available. The Cybersecurity and Infrastructure Security Agency added the CVE to its Known Exploited Vulnerabilities (KEV) list Thursday. Cybersecurity firm watchTowr provided technical details in a blog posted Wednesday: The flaw stems from improper handling of user input during the login process. When a user attempts to log in, cPanel writes data from the request into a server-side session file before verifying the user’s identity. An attacker can exploit this by embedding hidden line breaks into the password field of a login request — characters cPanel fails to strip out — allowing arbitrary data to be injected directly into that file.Through a secondary step, also involving a deliberately malformed request, the injected data gets promoted into the session’s active cache, where cPanel reads it as legitimate. Once that happens, the system sees the session as already authenticated and skips password verification entirely, granting access without ever checking the user’s actual credentials.cPanel has published a detection script designed to scan session files for indicators of compromise, including sessions that contain injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. WatchTowr separately released a “Detection Artifact Generator” that administrators can use to verify whether their instances remain vulnerable.Namecheap, a major domain registrar and hosting provider, took the step of temporarily blocking connections to cPanel and WHM ports 2083 and 2087 ahead of patch availability, citing the need to protect customers while an official fix was pending. The company began applying the patch after cPanel’s release earlier this week.cPanel’s patched releases address the issue across seven version branches, from 11.110.0 through 11.136.0, as well as WP Squared version 11.136.1. The company’s advisory notes that the fix ensures potentially dangerous input is scrubbed automatically within the core session-saving process, rather than depending on each individual part of the codebase to do so separately. The patch also adds handling for cases where a per-session encryption key is missing, a condition the original code failed to account for and that attackers were able to exploit to bypass password encoding entirely.The CVE has been given a 9.8 on the CVSS scale. The post cPanel’s authentication bypass bug is being exploited in the wild, CISA warns appeared first on CyberScoop.