watchTowr Labs reverse-engineered CVE-2026-41940: a CRLF injection + missing session filter in cPanel/WHM enables auth bypass across all supported versions, exploited in the wild as a zero-day.
Key Takeaways
Affects all currently supported cPanel/WHM versions; KnownHost confirmed active zero-day exploitation against WHM, the root-level management interface for 70M+ domains.
Root cause: saveSession in cpsrvd Basic auth handler wrote attacker-controlled pass (from Authorization: Basic) directly to disk with no CRLF stripping; filter_sessiondata was never called in that code path.
Session files are line-delimited key=value; injecting lets an attacker append arbitrary fields like hasroot=1 into the on-disk session at /var/cpanel/sessions/raw/.
Second contributing factor: if the cookie’s <ob> hex segment is absent, the encoder is skipped entirely and pass is written cleartext, making the injected payload readable and predictable.
Patch moves filter_sessiondata inside saveSession itself and adds an explicit defined $ob && length $ob guard; patched builds listed for all six release tracks (110 through 136).
Hacker News Comment Review
Consensus: this is a textbook “don’t roll your own session handling” failure; cPanel’s custom Perl session machinery introduced a class of bugs that battle-tested frameworks already solved.
Commenters noted the scale impact is severe given WordPress-on-cPanel’s invisible ubiquity, framing the cleanup burden on shared-hosting sysadmins as significant.
Notable Comments
@superasn: “Session handling, auth, crypto, password hashing…be the most allergic to rolling your own” – sharp articulation of the root policy failure.
@0xbadcafebee: argues for a software “building code” analogy – structural liability framework for internet infrastructure security.
