CVE-2026-41940 cPanel & WHM Authentication Bypass#2183
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
CVE-2026-41940 cPanel & WHM Authentication Bypass#2183carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> CRLF (%0D%0A) Injection (add: CRLF leading to session-file poisoning / auth bypass) and/or Pentesting Web -> Login Bypass / Authentication Bypass (case study: pre-auth session persistence + header injection). Optionally cross-link under Network Services Pentesting -> 80,443 -> cPanel/WHM (if a dedicated page exists/gets created).". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Overview
CVE-2026-41940 is a critical unauthenticated authentication bypass in cPanel & WHM and WP Squared, fixed by a cPanel security update released on April 28, 2026 (release notes: “an issue with session loading and saving”). The CVE was assigned April 29, 2026 and has CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).Because WHM provides root-level administration and cPanel manages hosted sites, successful expl...
🔧 Technical Details
Pre-auth session file poisoning via CRLF injection: If a service persists session state to disk before\r\n, an attacker can perform CRLF injection to create extra lines/fields in the serialized session. When the application later reloads and trusts those fields, the attacker can inject privileged attributes (e.g.,
user=root) and convert an unauthenticated request into an authenticated/admin session.Cookie-format manipulation to bypass protective encryption/encoding: When a session cookie has a structured multi-segment format where the presence/shape of segments determines whether user-controlled data is encrypted/encoded, intentionally omitting or altering an expected segment can force a weaker parsing/handling path. If that weaker path feeds into a persistence sink (like a session file wri...
🤖 Agent Actions
I’m mapping the relevant HackTricks sections first, then I’ll read the candidate pages for CRLF injection, login bypass, and cPanel/WHM coverage before deciding whether this adds anything new.
I have the candidate targets. Next I’m reading the existing pages that are closest to session poisoning, cookie manipulation, CRLF injection, and auth bypass to see whether the technique is already covered and where the delta belongs.
The existing CRLF page covers response splitting, header injection, and request injection, but not the specific pattern here: pre-auth session persistence plus CRLF into a server-side session store to inject trusted fields on reload. I’m verifying that with a quick pass over the external references, then I’ll patch the CRLF page if the gap holds.
The gap is real enough to document: this is not just generic login bypass, it is a reusable CRLF pattern where unsanitized header data poisons a pre-auth server-side session record and becomes trusted state on reload. I’m patching the CRLF page and keeping the addition in a single file.
The edit is in place. I’m doing a final verification pass on the modified section and the references block to make sure the addition is clean, non-duplicative, and stays within the one-file constraint.
Updated crlf-0d-0a.md with a new section covering the reusable technique behind CVE-2026-41940: pre-auth session persistence plus CRLF-based session-file poisoning leading to auth bypass. I kept it in a single file, framed it as a generic technique instead of a CVE writeup, and added concise detection/triage notes plus the Rapid7, watchTowr, and cPanel references at the end.
I did not create a new cPanel/WHM page or touch the login-bypass page because the core novelty here is best captured under CRLF injection, and the existing login bypass content is too generic for this server-side session poisoning pattern. No automated tests were run; I verified the final markdown and diff manually.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.