watchTowr Labs reverse-engineered a patch to expose a CRLF-injection + missing filter_sessiondata call in cpsrvd that allows auth bypass on all supported cPanel/WHM versions, exploited as a zero-day.
Key Takeaways
CVE-2026-41940 affects every currently supported cPanel/WHM release; KnownHost confirmed in-the-wild zero-day exploitation against WHM management interfaces.
Root cause: saveSession in Cpanel/Session.pm did not call filter_sessiondata, letting in a Basic Auth password inject arbitrary fields into the on-disk session file.
When the <ob> segment is absent from the session cookie, the password is written to disk in cleartext with a no-ob: hex prefix instead of being encrypted, compounding exposure.
The attack surface is Basic Auth requests handled by cpsrvd, where set_pass strips only NUL bytes, leaving CRLF intact before saveSession is called.
Hacker News Comment Review
Consensus centers on rolling-your-own session handling as the enabling mistake; battle-tested platform session primitives would have avoided both the CRLF and cleartext password paths.
Commenters flagged the monoculture risk: cPanel underpins ~70 million domains, many running unmanaged WordPress stacks with no active sysadmin, meaning a large fraction of affected sites will never be patched.
Some noted a possible trend of LLM-assisted code auditing surfacing dormant corner-case bugs in legacy Perl codebases like cPanel.
Notable Comments
@amluto: highlights the double failure of storing passwords reversibly encrypted at all, with a plaintext fallback – a design mistake predating 1996.
@whalesalad: links a Shodan query showing the exposed Basic Auth realm surface across the public internet.
