cPanel Has a Critical Auth Bypass Exploited Since February. Read This If You Have Forgotten Infrastructure.
cPanel Has a Critical Auth Bypass Exploited Since February. Read This If You Have Forgotten Infrastructure.
CVE-2026-41940 is a critical authentication bypass in cPanel and WebHost Manager that has been exploited in the wild since February. By April 30, at least 44,000 IP addresses had been compromised. By May 3, that figure had dropped to roughly 3,540 as patches landed and incident response caught up. Most of the bigger hosting providers have already patched. The remaining exposure is concentrated in the smaller, sleepier corners of the internet.
That last sentence is why this CVE matters more for solo operators than the headline number suggests. The most likely place this exposure exists in your life is not a production system you actively maintain. It's the forgotten infrastructure — the old WordPress site you set up in 2021, the email account you use for receipts, the side project that's been quietly running on a $5/month shared host since you got distracted by the next thing. Here's the 30-minute audit and why it's worth doing today.
What's actually broken
cPanel and WHM are the control panels that 95%+ of shared hosting providers use under the hood. Bluehost, HostGator, GoDaddy shared, SiteGround, A2 Hosting, Namecheap shared, every regional reseller — they almost all run cPanel. If you've ever bought hosting for $5–$15/month, you've used cPanel.
CVE-2026-41940 lets a remote attacker bypass authentication and gain elevated control of the panel. Once they have that, they can read every file in every account on the server, install backdoors, change DNS records, redirect email, and exfiltrate database contents — including the password hashes for every WordPress site on the host. The exploitation pattern observed in the wild has been the predictable one: install a webshell, harvest credentials, sell access on a marketplace, repeat.
The patch has been available since the disclosure. The exposure window for properly-managed providers was hours. The exposure window for properly-managed indie sites has been longer than that. And the exposure window for your forgotten infrastructure could still be open right now.
Why "forgotten infrastructure" is the right framing
The way this CVE actually bites a solo operator is not "my production SaaS got breached." It's "an attacker pivots from my old WordPress site to my email, then to my Stripe recovery flow, then to my actual revenue."
The chain is unglamorous and effective. Step one: attacker exploits the cPanel bypass on the shared host where your old WordPress is parked. Step two: attacker reads the host's mail spool and finds your real email address from password-reset emails. Step three: attacker uses the same WordPress admin credentials (which you probably reused) to try to get into your password manager via your master password's recovery flow. Step four: attacker pivots to whatever production system the password manager unlocks.
This sounds dramatic. The reason it's not dramatic is that this exact chain has been documented in dozens of post-mortems over the past five years. Old WordPress instances are the single most common pivot point for solo-operator account takeovers. The reason is that we don't think about them. They're not on our threat model because they're not part of the active business. That's exactly what makes them effective targets.
The 30-minute audit
Three steps. Do them today, not next weekend.
First, list every domain and hosting account you have. Open your domain registrar (probably Namecheap, GoDaddy, or Cloudflare) and look at the actual list. Most solo operators discover four or five domains they had forgotten about. For each domain, identify where it's hosted. If anything is on shared cPanel hosting, that account needs attention.
Second, log into each cPanel account. If you don't remember the password, that's already a sign of the problem — go through the password reset flow and confirm your recovery email is still one you control. Once you're in, check the access log for the last 30 days. Look for any administrative actions you didn't take. Check installed WordPress versions; anything older than 6.4 should be updated immediately. Check for any user accounts you didn't create.
Third, decide what stays and what dies. For each forgotten site, ask: does this generate revenue? Does this serve content I actually care about? Does the domain redirect somewhere I want to keep alive? If the answer to all three is no, take it down. The right answer for most forgotten infrastructure is to back up what you might want, then delete the rest. You cannot get breached on a system that doesn't exist.
The ones that stay should get one piece of immediate hygiene: enable two-factor authentication on the cPanel account itself, on the WordPress admin if applicable, and on the email account associated with the domain. cPanel 2FA was rare in 2018; it's standard in 2026 and most providers support it. Turn it on.
What about your client work
If you've ever built a site for a client and handed off cPanel credentials, you have an awkward decision. The safe play is to email every client whose site you set up on shared hosting and tell them to verify with their host that the patch is applied. Most clients won't do anything with that email, but the email is the thing that protects you legally and reputationally if something happens later.
The phrasing that works: "I wanted to flag that there was a critical security update for shared hosting in late April. I checked our setup and we're patched, but I'd recommend you confirm with your host directly. Here's the CVE if your IT person wants to verify." Three sentences, no panic, no excessive ownership. Most clients appreciate the heads-up. The ones who don't appreciate it weren't going to be good clients anyway.
The honest counter-take
This is the kind of CVE that generates "patch now or you'll get hacked" content for a week and then disappears. The actual risk profile for most solo operators is low. If you only run on managed platforms — Vercel, Netlify, Cloudflare, Render, Fly, GitHub Pages — you have zero exposure to this CVE. Most modern indie stacks have moved off shared hosting entirely.
The reason to spend 30 minutes today anyway is the long tail. Almost every solo operator I know has at least one piece of forgotten infrastructure on shared hosting somewhere. The 30 minutes is paying down latent risk that you've been carrying invisibly for years. Even if the cPanel CVE doesn't bite you, the exercise of finding and decommissioning forgotten infrastructure is a hygiene win in its own right.
The other counter-take: if you do find a compromise during the audit, don't panic, but don't wing it either. The right move is to pull the affected site offline immediately, change every password that touched the system, rotate any API keys that were stored in it, and notify any third-party services that might have credentials in the system's configuration. The HelpNet and Hacker News writeups linked below have specific incident-response steps if you find evidence of compromise. Read them before you start touching anything.