:

CPANEL PATCHES CRITICAL AUTH BYPASS FLAW

INDUSTRY DESK2 MIN READ
SAT, MAY 9, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

cPanel and WebHost Manager (WHM) released an emergency update to fix a critical authentication bypass vulnerability affecting nearly all versions. The flaw could allow attackers to gain unauthorized access to hosting control panels.

cPanel issued an urgent security patch addressing a critical vulnerability in its control panel and WHM dashboard software. The bug affects all versions except the latest release and permits attackers to bypass authentication mechanisms entirely. The vulnerability allows unauthenticated users to access cPanel and WHM interfaces without valid credentials, potentially granting full control over hosting accounts. This represents a severe risk for web hosting providers and their customers, as attackers could modify configurations, steal data, or deploy malicious content. What's affected: Virtually all cPanel and WHM versions prior to the patched release are vulnerable. The company strongly recommends immediate updates for all users running older builds. Action required: Administrators should prioritize applying the emergency patch to all affected systems. cPanel has not disclosed extensive technical details about the vulnerability to prevent exploitation before patching is complete. Users unable to update immediately should monitor their systems for suspicious activity. The timing of this disclosure follows growing scrutiny of cPanel's security practices. As one of the most widely used web hosting control panels globally, vulnerabilities in cPanel impact millions of websites across countless hosting providers. Hosting companies dependent on cPanel are expected to deploy fixes urgently. Delay risks exposing customer accounts to compromise. The patch is available through standard cPanel update channels. Security researchers and hosting providers have been urged to verify patch deployment across their infrastructure. Given the critical nature of the flaw and its broad impact, this represents one of the more serious cPanel vulnerabilities in recent years.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

The Los Angeles Police Department has declined to renew its contract with Flock Safety, citing data privacy concerns. The decision marks a shift in the department's approach to automated license plate reader technology.

2H AGOIndustry Desk

Department of Homeland Security analysts dismissed suspicious network activity detected in May as harmless before confirming a breach in June, according to internal documents.

2H AGOSecurity Desk

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Russian state-sponsored hackers are actively targeting residential routers. The threat escalates as attackers seek to exploit routers for use as residential proxies.

2H AGOSecurity Desk

Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.

3H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.