cPanel Security Update: Critical Vulnerabilities Require Immediate Patching

cPanel has released emergency updates to address three significant vulnerabilities in its cPanel and Web Host Manager (WHM) products. These vulnerabilities, ranging from moderate to critical severity, could allow attackers to achieve privilege escalation, execute arbitrary code, and cause denial-of-service conditions on affected systems.

Overview of Vulnerabilities

The security update addresses three distinct vulnerabilities with varying severity levels, each requiring immediate attention from system administrators and hosting providers.

CVE-2026-29201 – Arbitrary File Read Vulnerability

  • CVSS Score: 4.3 (Medium Severity)
  • Affected Component: feature::LOADFEATUREFILE adminbin call
  • Exploitable Impact: Arbitrary file read

This vulnerability stems from insufficient input validation of the feature file name parameter within the feature::LOADFEATUREFILE adminbin call. Attackers could manipulate this parameter to read arbitrary files on the system, potentially exposing sensitive configuration files, credentials, or other sensitive data.

CVE-2026-29202 – Arbitrary Perl Code Execution Vulnerability

  • CVSS Score: 8.8 (High Severity)
  • Affected Component: create_user API call
  • Exploitable Impact: Arbitrary Perl code execution

The most critical vulnerability involves insufficient input validation of the “plugin” parameter in the create_user API call. This flaw allows authenticated users to execute arbitrary Perl code on behalf of the system user associated with the authenticated account. Given that cPanel typically runs with elevated privileges, this could lead to complete system compromise.

CVE-2026-29203 – Symlink Handling Vulnerability

  • CVSS Score: 8.8 (High Severity)
  • Affected Component: File access permissions handling
  • Exploitable Impact: Denial-of-service or privilege escalation

This vulnerability involves unsafe symlink handling that allows users to modify access permissions of arbitrary files using the chmod command. The flaw could be exploited to either deny service to legitimate users or potentially escalate privileges by modifying permissions of critical system files.

Technical Analysis

CVE-2026-29201 Technical Details

The arbitrary file read vulnerability occurs in the feature::LOADFEATUREFILE adminbin call. The vulnerability arises when the application fails to properly sanitize the feature file name parameter, allowing path traversal techniques such as ../ sequences to access files outside the intended directory structure.

# Vulnerable code pattern (conceptual)
my $feature_file = $input{'feature_file'};
my $file_path = "/usr/local/cpanel/feature/$feature_file";
open(FH, "$file_path") || die "Cannot open file: $!";

Attackers could manipulate the input to read sensitive files such as:

  • /etc/passwd and /etc/shadow
  • Database configuration files
  • SSL certificate private keys
  • cPanel configuration files

CVE-2026-29202 Technical Details

The arbitrary Perl code execution vulnerability is particularly concerning as it allows authenticated users to execute arbitrary Perl code. This likely occurs through Perl’s eval() function or similar code execution mechanisms.

# Vulnerable code pattern (conceptual)
my $plugin_code = $input{'plugin'};
eval $plugin_code; # DANGEROUS - Code injection

The execution context would run with the privileges of the cPanel system user, which typically has extensive permissions on the hosting server. This could allow attackers to:

  • Install backdoors or persistence mechanisms
  • Modify system configurations
  • Access or exfiltrate sensitive data
  • Launch further attacks against other services

CVE-2026-29203 Technical Details

The symlink handling vulnerability involves unsafe handling of symbolic links when performing file operations. This is a classic time-of-check-to-time-of-use (TOCTOU) race condition vulnerability.

# Vulnerable code pattern (conceptual)
chmod 0644 $target_file; # $target_file could be a symlink pointing elsewhere

Attackers could exploit this by:

  1. Creating a symlink pointing to a critical system file
  2. Triggering the chmod operation on the symlink
  3. The chmod operation affects the target file instead of the intended file

This could lead to denial-of-service by making critical system files inaccessible or privilege escalation by modifying permissions on sensitive files.

Affected Versions and Patch Information

cPanel has released version 110.0.114 as a direct update for customers still running CentOS 6 or CloudLinux 6. Users are strongly advised to update to the latest versions for optimal protection.

The patch addresses all three vulnerabilities:

Mitigation and Best Practices

Immediate Actions

  1. Update cPanel immediately to the latest version
  2. Review access logs for any suspicious activity prior to the patch
  3. Monitor system performance for any unusual behavior

Hardening Recommendations

  1. Principle of least privilege – Ensure cPanel service accounts have minimal necessary permissions
  2. Regular security audits – Implement routine vulnerability scanning
  3. Network segmentation – Isolate cPanel servers from other critical infrastructure
  4. Access controls – Implement strict authentication mechanisms
  5. Monitoring – Deploy comprehensive logging and intrusion detection

System Configuration Hardening

# Example hardening commands (for CentOS/CloudLinux)
# Restrict cPanel service account
usermod -l cpanel-restricted cpanel

# Remove unnecessary modules
echo "LoadModule perl_module /usr/lib64/httpd/modules/mod_perl.so" >> /etc/httpd/conf.d/perl.conf

# Enable additional logging
echo "LogLevel warn" >> /etc/httpd/conf/httpd.conf

Context and Related Threats

This security update comes shortly after another critical vulnerability, CVE-2026-41940, which has already been weaponized by threat actors. The earlier vulnerability is being used to deliver:

  • Mirai botnet variants – Distributed denial-of-service (DDoS) malware
  • Sorry ransomware – File-encrypting ransomware

The proximity of these disclosures suggests that cPanel is being actively targeted by sophisticated threat actors. The fact that CVE-2026-41940 has already been exploited in the wild underscores the urgency of implementing timely security updates.

Summary

The three vulnerabilities addressed in this cPanel security update represent a significant security risk, particularly the two high-severity issues (CVE-2026-29202 and CVE-2026-29203) that could lead to complete system compromise.

System administrators and hosting providers should treat this security update with the highest priority. The combination of arbitrary code execution and privilege escalation capabilities makes these vulnerabilities particularly dangerous in shared hosting environments where multiple customers’ data and services could be at risk.

Recommendation: Update all cPanel and WHM installations immediately to version 110.0.114 or later, and implement the recommended hardening measures to protect against potential exploitation attempts.

For the latest security advisories and patch information, administrators should monitor cPanel’s official security portal and subscribe to their security mailing list for real-time updates.

Related Articles

Back to top button