Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

module

cPanel/WHM CRLF Injection Authentication Bypass RCE

Disclosed
Apr 28, 2026
Created
May 18, 2026

Description

Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon
that allows unauthenticated remote code execution as root.

The Basic-auth handler writes the password to the raw session file without
stripping newlines. Omitting the ob-part of the session cookie bypasses the
encoder, so injected fields land verbatim in the raw file. A subsequent
request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote
those fields into the authoritative session cache, granting root WHM access.

RCE uses the WHM JSON API passwd endpoint to set a temporary root password,
then delivers the payload over SSH. The password is rotated after exploitation.
This module does not restore the original root password.

Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97,
11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20,
11.136.0.5 (cPanel/WHM) and 136.1.7 (WP2).

Authors

Sina Kheirkhah
Adam Kues
Shubham Shah
Crypto-Cat

Platform

Unix

Architectures

cmd

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use exploit/multi/http/cpanel_whm_auth_bypass_rce
msf exploit(cpanel_whm_auth_bypass_rce) > show targets
...targets...
msf exploit(cpanel_whm_auth_bypass_rce) > set TARGET < target-id >
msf exploit(cpanel_whm_auth_bypass_rce) > show options
...show and set options...
msf exploit(cpanel_whm_auth_bypass_rce) > exploit

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.