Critical cPanel and WHM Vulnerabilities Expose Servers to Remote Code Execution and Denial-of-Service Attacks
cPanel, a leading provider of web hosting control panel software, has recently disclosed three critical security vulnerabilities affecting its cPanel & WHM platforms. These vulnerabilities, identified as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, pose significant risks, including arbitrary file reads, remote code execution (RCE), and denial-of-service (DoS) attacks. Given the widespread use of cPanel & WHM in managing web servers globally, it is imperative for hosting providers and server administrators to address these issues promptly.
Overview of the Vulnerabilities
1. CVE-2026-29201: Arbitrary File Read via Path Traversal
This vulnerability resides in the `feature::LOADFEATUREFILE` adminbin call, which inadequately validates the feature file name parameter. By exploiting this flaw, an attacker can pass a relative path as an argument, causing the server to expose arbitrary files. This path traversal issue can lead to unauthorized access to sensitive system files, including configuration files, credentials, and private keys, potentially facilitating further system compromise.
2. CVE-2026-29202: Perl Code Injection in User Creation API
The most severe of the three, this vulnerability is found in the `create_user` API call, specifically related to the `plugin` parameter. Unsanitized input to this parameter allows attackers to inject and execute arbitrary Perl code on the server. Such remote code execution vulnerabilities can lead to full server takeover, data exfiltration, and the deployment of malware or backdoors across hosted environments.
3. CVE-2026-29203: Unsafe Symlink Handling
This flaw stems from unsafe symlink handling, permitting a user to change the permissions (`chmod`) of arbitrary files on the system. Exploitation of this vulnerability can disrupt critical system operations, resulting in denial-of-service conditions. Additionally, it could be combined with other vulnerabilities to escalate privileges and gain unauthorized administrative access.
Affected Versions and Patched Releases
All three vulnerabilities affect multiple versions of cPanel & WHM. cPanel has released patches across all active branches to address these issues. Administrators should update to one of the following versions or higher:
– 11.136.0.9
– 11.134.0.25
– 11.132.0.31
– 11.130.0.22
– 11.126.0.58
– 11.124.0.37
– 11.118.0.66
– 11.110.0.116
– 11.110.0.117
– 11.102.0.41
– 11.94.0.30
– 11.86.0.43
For WP Squared (WP2) users, upgrading to version 11.136.1.10 or higher is recommended.
Immediate Actions for Administrators
To mitigate the risks associated with these vulnerabilities, administrators should take the following steps:
1. Update cPanel & WHM Immediately
Run the forced update script to apply the latest patches:
“`bash
/scripts/upcp –force
“`
After the update, verify the installed version:
“`bash
/usr/local/cpanel/cpanel -V
“`
Ensure the version matches one of the patched releases listed above.
2. For Servers Running CentOS 6 or CloudLinux 6
Apply a direct update to version 110.0.114 by setting the upgrade tier:
“`bash
sed -i s/CPANEL=./CPANEL=cl6110/g /etc/cpupdate.conf
“`
Then, proceed with the update as described above.
Context and Implications
These vulnerabilities come on the heels of another critical cPanel flaw, CVE-2026-41940, which was exploited in the wild in April 2026. That vulnerability allowed attackers to bypass login mechanisms entirely, underscoring the importance of timely patching and vigilant security practices.
The recent disclosures highlight the ongoing challenges in securing web hosting environments. Given the critical nature of these vulnerabilities, especially the potential for remote code execution and denial-of-service attacks, it is crucial for administrators to act swiftly. Failure to address these issues promptly could lead to severe consequences, including unauthorized access, data breaches, and service disruptions.
Conclusion
The discovery of CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 in cPanel & WHM underscores the need for continuous vigilance and prompt action in the face of emerging security threats. Administrators are urged to apply the necessary patches immediately to safeguard their servers and the data they host. Regular updates, comprehensive monitoring, and adherence to security best practices remain essential components of a robust defense strategy against such vulnerabilities.
