cPanel Authentication Bypass Zero‑Day Exploit Threatens Millions

A critical authentication bypass flaw in cPanel and its associated WebHost Manager (WHM) interface was publicly disclosed on March 5, 2026, sending shockwaves through the web‑hosting community. The vulnerability, tracked as CVE‑2026‑1234, resides in the session‑validation routine of cPanel’s REST API and allows an unauthenticated attacker to forge valid session tokens by manipulating JSON Web Token (JWT) payloads. Affected versions include cPanel & WHM 11.92.0.0 through 11.97.0.2, exposing countless shared‑hosting environments to remote compromise.

Within hours of the disclosure, multiple security researchers released proof‑of‑concept (PoC) exploits, ranging from simple curl scripts to fully weaponized Metasploit modules. Analysts at Unit 42 and others demonstrated that a single crafted HTTP request could hijack an admin session, granting full control of the hosting account. The rapid proliferation of these PoCs dramatically lowered the barrier for less‑skilled threat actors, leading to a surge in scanning activity targeting vulnerable cPanel instances.

CrowdStrike’s threat intelligence team reported that at least one advanced persistent threat (APT) group had already been exploiting the flaw in the wild for more than a month prior to public disclosure. The group, designated as TAG‑71, leveraged the authentication bypass to compromise web‑hosting providers in North America and Europe, exfiltrating database credentials and deploying dormant backdoors. Their ability to maintain persistence indicates a well‑funded operation with a focus on long‑term espionage.

Organizations are urged to update to cPanel & WHM 11.98.0.1 or later, which patches the JWT validation logic. In parallel, administrators should enforce strict API access controls, employ IP allow‑listing for WHM, and enable audit logging to detect anomalous session creation. Immediate remediation, combined with robust network monitoring, is essential to mitigate the risk of credential theft and unauthorized domain takeovers.