Security Researchers Release Scanner for Critical cPanel Authentication Bypass Vulnerability
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (May 8, 2026) — A critical authentication bypass vulnerability affecting cPanel and WHM servers has been actively exploited since February, prompting security researchers to release a free scanning tool to help organizations detect compromised systems.
Pentest-Tools.com published the scanner on Thursday to assist administrators in identifying servers vulnerable to CVE-2026-41940. The flaw allows unauthenticated attackers to bypass the cPanel login process through CRLF injection, potentially granting unauthorized access to web hosting control panels.
The vulnerability impacts internet-facing cPanel and WHM servers globally. Security experts warn that the window of exposure has been significant, with exploitation activity detected beginning in early February 2026. The release of the detection tool comes as part of a broader effort to mitigate the risk posed by the unpatched systems.
Cloudflare, a major internet infrastructure provider, has been monitoring traffic patterns associated with the vulnerability. The company noted an increase in malicious requests targeting cPanel login endpoints over the past three months. KnownHost, a web hosting provider, has advised its customers to apply immediate patches and verify the integrity of their control panel configurations.
WP Squared, a WordPress hosting service, confirmed that it has updated its infrastructure to address the flaw. The company stated that all client accounts have been scanned and secured against the authentication bypass technique. WatchTowr Labs, a cybersecurity firm, has also issued alerts to its clients regarding the active exploitation of CVE-2026-41940.
The scanner released by Pentest-Tools.com is designed to identify servers that remain vulnerable to the CRLF injection attack. Researchers emphasize that the tool should be used by authorized personnel only, as scanning unauthorized systems may violate computer crime laws. The utility provides administrators with a method to verify whether their cPanel instances are susceptible to the authentication bypass.
cPanel LLC has not yet issued a public statement regarding the timeline of the vulnerability's discovery or the availability of a comprehensive patch. The company's support channels have been directing users to apply the latest updates available through their standard update mechanisms. Some administrators have reported difficulty in determining whether their systems are fully protected without running external scans.
The active exploitation of the vulnerability raises concerns about the potential for widespread compromise of web hosting accounts. Security researchers are urging all cPanel users to verify their systems immediately. The situation remains fluid as organizations work to assess the extent of the exposure and implement necessary security measures.
Questions remain regarding the number of servers that may have been compromised during the period of active exploitation. Researchers are calling for further investigation into the scope of the attacks and the potential data breaches that may have occurred as a result of the vulnerability.