Listen to this Post
The vulnerability stems from improper session handling in the cpsrvd daemon. Before a user is authenticated, the server writes a new session file to disk. By manipulating the `whostmgrsession` cookie and omitting an expected segment, an attacker avoids the encryption process that would normally protect user-supplied input. Furthermore, they inject Carriage Return Line Feed (CRLF) characters into the Basic Authentication header’s password field. This CRLF injection, combined with the malformed session cookie, allows the attacker to write arbitrary key-value pairs into the session file on disk. Specifically, they inject a `user=root` property along with a `token_denied` flag. The server then reads this manipulated session file, interprets the injected `user=root` property, and grants the attacker unauthorized root-level access to WHM, bypassing the password check entirely. The exploitation occurs before any authentication checks are performed, creating a valid session entry from a failed login attempt.
dailycve form:
Platform: cPanel and WHM
Version: after 11.40
Vulnerability : Authentication Bypass via
Severity: CRITICAL (CVSS 9.8)
date: 2026-04-28
Prediction: Patched 2026-04-28
Analytics under heading What Undercode Say:
Verify current version /usr/local/cpanel/cpanel -V Force update to patched version /scripts/upcp --force Check for Indicators of Compromise (IoC) bash /path/to/ioc_check.sh Example IoC: sessions with token_denied=1 and cp_security_token injected grep -r "token_denied=1" /var/cpanel/sessions/raw/ | grep "cp_security_token" Manually restart cPanel service after patching /scripts/restartsrv_cpsrvd Firewall mitigation (block ports 2083 & 2087 if patching impossible) iptables -A INPUT -p tcp --dport 2083 -j DROP iptables -A INPUT -p tcp --dport 2087 -j DROP
How Exploit:
The exploit is triggered by sending a crafted HTTP POST request to the login endpoint. The attacker includes a CRLF (%0d%0a) sequence in the password field of the Basic Authorization header, followed by the string user=root. Simultaneously, a malformed `whostmgrsession` cookie is supplied. This causes the vulnerable `cpsrvd` daemon to write a new session file to `/var/cpanel/sessions/raw/` before validating the password. The injected CRLF characters allow the attacker to add arbitrary key-value pairs, creating a valid session entry for the `root` user without providing the correct password.
Protection from this CVE
- Immediately update to a patched version (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.18, 11.132.0.29, 11.134.0.20, or 11.136.0.5).
- Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall if patching is not immediately possible.
- Run the official detection script to scan session files for indicators of compromise.
- Restart the `cpsrvd` service after applying updates to ensure the new authentication logic is loaded.
Impact
Successful exploitation grants an unauthenticated remote attacker full administrative (root) privileges over the cPanel & WHM server. This allows the attacker to take complete control of the host system, modify server configurations, access all hosted databases and email accounts, and compromise every website and downstream service hosted on the affected server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
