Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)

Last updated 13 days ago on 2026-05-07

Created 13 days ago on 2026-05-07

About

Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /` request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an `Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic). Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic credentials, so this combination is not produced by normal use.

Tags

Domain: NetworkDomain: ApplicationDomain: WebUse Case: Threat DetectionUse Case: VulnerabilityTactic: Initial AccessData Source: Network Packet CaptureData Source: Network TrafficLanguage: lucene

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

False Positive Examples

Authorized vulnerability scanners (Nessus, Tenable, Qualys, etc.) running CVE-2026-41940 plugins will reproduce the exploit shape. Validate against scan windows and source IPs of approved scanners before escalating.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: packetbeat-*logs-network_traffic.http*
Related Integrations: network_traffic(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗(data_stream.dataset:network_traffic.http OR (event.category:network_traffic AND network.protocol:http)) AND
http.request.method:GET AND
url.path:"/" AND
destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096) AND
http.response.status_code>=300 and http.response.status_code < 400 AND
http.request.headers.authorization:Basic* AND
http.response.headers.location:/cpsess*

Install detection rules in Elastic Security

Detect Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).