module
cPanel/WHM CRLF Injection Authentication Bypass RCE
| Disclosed | Created |
|---|---|
| Apr 28, 2026 | May 18, 2026 |
Disclosed
Apr 28, 2026
Created
May 18, 2026
Description
Exploits CVE-2026-41940, a CRLF injection in cPanel/WHM's cpsrvd daemon
that allows unauthenticated remote code execution as root.
The Basic-auth handler writes the password to the raw session file without
stripping newlines. Omitting the ob-part of the session cookie bypasses the
encoder, so injected fields land verbatim in the raw file. A subsequent
request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote
those fields into the authoritative session cache, granting root WHM access.
RCE uses the WHM JSON API passwd endpoint to set a temporary root password,
then delivers the payload over SSH. The password is rotated after exploitation.
This module does not restore the original root password.
Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97,
11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20,
11.136.0.5 (cPanel/WHM) and 136.1.7 (WP2).
that allows unauthenticated remote code execution as root.
The Basic-auth handler writes the password to the raw session file without
stripping newlines. Omitting the ob-part of the session cookie bypasses the
encoder, so injected fields land verbatim in the raw file. A subsequent
request to /scripts2/listaccts triggers Cpanel::Session::Modify to promote
those fields into the authoritative session cache, granting root WHM access.
RCE uses the WHM JSON API passwd endpoint to set a temporary root password,
then delivers the payload over SSH. The password is rotated after exploitation.
This module does not restore the original root password.
Affects all versions after 11.40. Fixed per branch: 11.86.0.41, 11.110.0.97,
11.118.0.63, 11.124.0.35, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20,
11.136.0.5 (cPanel/WHM) and 136.1.7 (WP2).
Authors
Sina Kheirkhah
Adam Kues
Shubham Shah
Crypto-Cat
Adam Kues
Shubham Shah
Crypto-Cat
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.