Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)

Last updated 18 days ago on 2026-05-28

Created a month ago on 2026-05-07

About

Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /` request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an `Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic). Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic credentials, so this combination is not produced by normal use.

Tags

Domain: NetworkDomain: ApplicationDomain: WebUse Case: Threat DetectionUse Case: VulnerabilityTactic: Initial AccessData Source: Network Packet CaptureData Source: Network TrafficData Source: ZeekLanguage: lucene

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

False Positive Examples

Authorized vulnerability scanners (Nessus, Tenable, Qualys, etc.) running CVE-2026-41940 plugins will reproduce the exploit shape. Validate against scan windows and source IPs of approved scanners before escalating.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

packetbeat-*logs-network_traffic.http*logs-zeek.http*

Related Integrations

network_traffic(external, opens in a new tab or window)

zeek(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗(
  (
    (data_stream.dataset:network_traffic.http OR (event.category:network_traffic AND network.protocol:http)) AND
    http.response.status_code:[300 TO 399] AND
    http.request.headers.authorization:Basic* AND
    http.response.headers.location:\/cpsess*
  )
  OR
  (
    data_stream.dataset:zeek.http AND
    zeek.http.client_header_names:AUTHORIZATION AND
    zeek.http.server_header_names:LOCATION
  )
) AND
http.request.method:GET AND
url.path:"/" AND
destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096)

Install detection rules in Elastic Security

Detect Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).