Number: AL26-008
Date: April 29, 2026
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Cyber Centre is aware of a critical vulnerability impacting cPanel and WebHost Manager (WHM)Footnote 1. In response to the vendor advisory released on April 29, 2026, the Cyber Centre released AV26-404 on April 29, 2026Footnote 2.
Tracked as CVE-2026-41940Footnote 3, this vulnerability is a missing authentication for critical function vulnerability (CWE-306)4 affecting cPanel and WebHost Manager (WHM), the widely used web hosting control panel that simplifies server and website management. This vulnerability allows unauthenticated remote attackers to gain access to administrative interfaces.
Exploitation of CVE‑2026‑41940 can allow attackers to:
- Access cPanel and WebHost Manager (WHM) administrative interfaces.
- Take control of hosted websites, databases, and email accounts.
- Modify server configurations.
- Potentially compromise thousands of downstream sites on shared hosting servers.
Based on available information at the time of release, exploitation is highly probable. Immediate action is required.
Suggested actions
The Cyber Centre recommends that organizations using cPanel and WebHost Manager (WHM), review the cPanel security bulletinFootnote 1 and update or upgrade the affected instances to the following versions:
| Affected product | Affected versions | Fixed versions |
|---|---|---|
| cPanel & WHM | Versions prior to 11.110.0.97 | 11.110.0.97 |
| cPanel & WHM | Versions prior to 11.118.0.63 | 11.118.0.63 |
| cPanel & WHM | Versions prior to 11.126.0.54 | 11.126.0.54 |
| cPanel & WHM | Versions prior to 11.132.0.29 | 11.132.0.29 |
| cPanel & WHM | Versions prior to 11.134.0.20 | 11.134.0.20 |
| cPanel & WHM | Versions prior to 11.136.0.5 | 11.136.0.5 |
| cPanel & WHM | Versions prior to WP squared 11.136.1.7 | WP squared 11.136.1.7 |
cPanel emphasizes that users on unsupported software must transition to a supported server environment at once, because legacy releases will not receive any security patches.
- Update cPanel and WebHost Manager (WHM) to a patched version listed above.
- Server operators can manually enforce the update process using the command-line interface, along with confirming installed versionFootnote 1.
- Restrict network access to cPanel/WHM interfaces (e.g., firewall IP allowlists) until patched.
- Review logs for suspicious login activity or unauthorized access.
- Follow official cPanel security advisories and monitoring guidance.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topicsFootnote 5.
- Patch operating systems and applications
- Enforce the management of administrative privileges
- Harden operating systems and applications
- Isolate web-facing applications
- Implement application allow lists
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal or email contact@cyber.gc.ca.
