A decisive truth, applied directly to the forehead of every hosting provider running cPanel: on April 28, 2026, cPanel published a security advisory titled “Critical Vulnerability with cPanel & WHM Login Authentication.” That’s the sanitized version. The unsanitized version is: the login door on roughly 600,000 internet-facing servers may have been unlocked this entire time, and nobody noticed until now.
No CVE has been assigned yet. No CVSS score. No technical details. Just a terse advisory, a list of patched versions, and the digital equivalent of a fire alarm being pulled in a building where most tenants are still asleep.
🤚 The Open-Palm Timeline
April 28, 2026: cPanel publishes the advisory via their support site, authored by Devon Courtney. Patched versions are already available, which means cPanel knew about this beforehand and had fixes baked before going public. Coordinated disclosure at its finest — or, depending on your perspective, a head start that most admins didn’t know they needed.
Who discovered it? Undisclosed. When was it first reported to cPanel? Also undisclosed. The advisory reads like a classified document that’s been redacted by someone who enjoys redacting things a little too much.
👐 The Attack Vector — What We Know (and What cPanel Won’t Say)
The advisory describes the flaw as affecting “various authentication paths” in cPanel software. That’s it. That’s the technical detail. “Various authentication paths.” It’s the cybersecurity equivalent of a doctor saying “various organs are involved” and then walking out of the room.
But let’s unpack what that likely means:
- Multiple login interfaces are affected — not just the cPanel user login, but potentially WHM admin login, Webmail, and API authentication. This isn’t a crack in one window; it’s a structural issue with the locks themselves.
- All currently supported versions are vulnerable — from version 110 (LTS) through version 136 (latest). That’s not a recently introduced bug. That’s a flaw that’s been living rent-free in the codebase for a very, very long time.
- The urgency suggests remote exploitation without credentials — when a vendor tells even unsupported-version users to upgrade immediately, the subtext is: “someone can walk through your front door without a key.”
No proof of concept has been published. No technical exploitation details are public. cPanel is deliberately keeping the lights off so admins can patch before attackers reverse-engineer the fix by diffing the binaries. It’s a race, and the clock started on April 28.
🌿 The Scope — Or, How Many Servers Are We Talking About
Sit down for this part.
- 1,154,764 live websites actively run cPanel (BuiltWith data)
- 5.6 million historical installations across the internet’s lifetime
- 589,359 cPanel instances are directly visible on Shodan — internet-facing, port-open, come-on-in
- ~59% are in the United States (350,235 servers), followed by Canada and Romania
- Top affected providers: GoDaddy (73,867 instances), Unified Layer (48,724), Register.com (28,251)
cPanel is the cockroach of hosting management panels — and we mean that as a compliment. It’s everywhere, it’s survived every technological shift since the early 2000s, and it accounts for roughly 60% of the total hosting cost for many providers. When cPanel has a critical auth vulnerability, it’s not a security incident. It’s a census event.
👑 The Fix — Run This Command, Then Pour Yourself a Drink
Patches are available. Here’s what you need:
| Version Line | Patched Build |
|---|---|
| 110 (LTS) | 11.110.0.97 |
| 118 | 11.118.0.63 |
| 126 | 11.126.0.54 |
| 132 | 11.132.0.29 |
| 134 | 11.134.0.20 |
| 136 | 11.136.0.5 |
The magic words:
/scripts/upcp --forceIf you’re running an unsupported version (anything older than 110), there is no patch. Your options are: upgrade immediately, restrict access to ports 2082/2083/2086/2087 via firewall, or begin the five stages of grief. We recommend doing all three simultaneously.
🤔 How Could This Happen?
The fact that the vulnerability spans every supported version — going all the way back to version 110 — tells us something important: this isn’t a regression from a recent update. This is a long-standing flaw. A vulnerability that’s been baked into the authentication layer like a load-bearing bug.
The phrase “various authentication paths” suggests a shared authentication library or module used across multiple cPanel interfaces had a fundamental logic error. Not a typo. Not a missing null check. A design-level issue in how authentication state is validated — the kind of bug that passes every code review because everyone assumes the foundation is sound.
It’s the digital equivalent of discovering that every lock in your house has the same defect, because they were all made by the same locksmith who misread the blueprint in 2019 and nobody thought to double-check.
📋 What You Should Do Right Now
- Patch immediately — run
/scripts/upcp --forceon every cPanel server you manage - Verify your version — confirm you’re on one of the patched builds listed above
- Restrict access — firewall off cPanel/WHM ports (2082, 2083, 2086, 2087) to trusted IPs as defense-in-depth
- Review your logs — check for anomalous authentication activity, especially failed or unusual login patterns
- Watch for the CVE — technical details will emerge as researchers diff the patched and unpatched binaries. When they do, the exploit window opens wider for unpatched servers
🌿 The Gentle Awakening
There’s a particular kind of horror that comes with learning that a piece of software you trusted with 600,000 servers had a critical authentication flaw hiding in plain sight across every version. It’s the same feeling you get when you realize the lifeguard at the pool has been asleep the whole time — nothing went wrong yet, but the retrospective terror is real.
cPanel has handled the disclosure responsibly: patches were ready before the advisory went public, and the details are being withheld to give admins a head start. But the question nobody at cPanel wants to answer is: how long was this door unlocked? Months? Years? The answer will eventually come out when the CVE is assigned and researchers publish their analysis. Until then, patch your servers and try not to think about it too hard.
Also worth noting: this blog runs on Plesk. Just saying. 🤚
cPanel’s advisory contained no technical details, which is either responsible disclosure or the world’s most terrifying game of “guess what’s broken.” We’ll update this article when the CVE drops — assuming the internet is still standing.