Dear Valued Clients,
We're writing to make you aware of a critical authentication bypass vulnerability (CVE-2026-41940) disclosed by cPanel on 28 April 2026, affecting all cPanel & WHM versions after 11.40, including DNSOnly and WP Squared.
What we've done:
Our team has applied the official cPanel patch to all servers in our environment, bringing them up to one of the supported patched builds. The cpsrvd service has been restarted and we have run cPanel's official detection script across our session files to check for any indicators of compromise.
What you should do:
No action is required from you — your hosting service remains secure and operational. As a precaution, we recommend resetting your cPanel password and ensuring it is strong and unique.
If you have any questions, please contact our support team.
