Security firm watchTowr Labs disclosed a critical authentication bypass in cPanel & WHM, catalogued as CVE-2026-41940. The flaw resides in the session‑loading routine, allowing attackers to forge a valid session cookie and gain root‑level access to the management plane that powers roughly 70 million domains. KnownHost reported active exploitation in the wild, confirming the vulnerability is being leveraged as a zero‑day and endangers hosting providers.

cPanel confirmed every supported release is vulnerable, from the 110.x series through 136.x. Patches arrived in versions such as 11.110.0.97 and 11.136.0.5, each moving a sanitisation call into the saveSession function and adding fallback encoding when the per‑session secret is missing. Administrators must upgrade immediately, because the unpatched binaries still expose the insecure saveSession path as soon as possible.

The vulnerability hinges on how session files store a secret (‘ob’) and encode passwords. By tampering with the cookie’s ob segment, an attacker can bypass the filter_sessiondata routine and inject arbitrary credentials. watchTowr’s AI‑driven rapid‑reaction platform automatically identified exposed instances and pushed edge‑level mitigation rules, demonstrating a rare instance of autonomous network defense for affected data centers worldwide today.