Pentagon · labs.watchtowr.com
CPanel and WHM Authentication Bypass – CVE-2026-41940
Compiled by KHAO Editorial — aggregated from 1 source. See llms.txt for citation guidance.
◌ Single Source
JSON encodes a string with embedded \r\n as the two-character escape - the bytes are preserved as one single pass field.
Key facts
- Ignoring the pain of their proverbial explosion, they identified 3 modified files of interest
- The team base64-encode this into the Authorization header
- root:x\r\nhasroot=1\r\n…
- and fire
- If you're wondering where cpsess0228251236 came from
- it's right there in the Location header of the 307 response
- Despite the on-disk file containing hasroot=1 and user=root as top-level records, cpsrvd is treating them as anonymous
Summary
Yes, it's all a disaster again! No comments today, so imagine this:. The team wrote something that they find funny,. Nobody else gets it,. As with all watchTowr Labs research, this didn't start with a blog post - but is the end result of a coordinated capability that enables watchTowr clients to rapidly react to, and autonomously mitigate, emerging threats.