explaingit

olofsatte/cve-2026-41940-poc

18PythonAudience · developerComplexity · 2/5Setup · easy

TLDR

A Python proof-of-concept showing a CVSS 10.0 authentication bypass in cPanel and WHM web hosting control panels, where an attacker can gain full admin access without any credentials by exploiting a session pre-initialization flaw. For authorized security research only.

Mindmap

mindmap
  root((repo))
    What It Does
      Bypass cPanel login
      Gain admin access
      Read files run commands
    How It Works
      Session pre-init flaw
      Crafted Auth header
      Server-side file write
    Tool Features
      Single target mode
      Bulk target list mode
      Post-access shell
    Scope
      Security research
      Bug bounty programs
      Authorized testing only
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Test whether your own cPanel or WHM server is vulnerable to CVE-2026-41940 before applying the vendor patch.

USE CASE 2

Use in an authorized bug bounty engagement against cPanel-hosted infrastructure to confirm and document the authentication bypass.

USE CASE 3

Study how session pre-initialization flaws in web control panels can be exploited to understand this class of server-side vulnerability.

USE CASE 4

Run against a lab environment to practice detection and incident response for unauthorized admin session access.

Tech stack

Python

Getting it running

Difficulty · easy Time to first run · 5min

Only run against systems you own or have explicit written authorization to test, unauthorized use is illegal in most jurisdictions.

In plain English

CVE-2026-41940-PoC is a Python tool that demonstrates a critical authentication bypass vulnerability in cPanel and WHM, two widely used web hosting control panel platforms. The vulnerability is rated CVSS 10.0, the highest severity score, meaning an attacker can gain full administrative access to a server without providing any credentials at all. The flaw works by exploiting how cPanel and WHM handle login sessions. The server creates and partially initializes a session before fully checking whether the user has valid credentials. By sending crafted input through the Authorization header, an attacker can manipulate how session data is written to server-side files, ultimately tricking the system into treating the request as authenticated. The tool, written as a Python script, accepts a target URL and can test a single server or work through a list of targets in parallel. Once the bypass succeeds, it provides post-access commands for reading files, executing operating system commands, listing hosted accounts, changing the root password, and opening an interactive shell. Six version ranges of cPanel and WHM are listed as affected, with specific patch versions identified for each. The README states the tool is created solely for educational purposes and bug bounty programs, and that unauthorized use outside of controlled environments is prohibited. Bug bounty programs are schemes where software vendors pay security researchers to find and report vulnerabilities before malicious actors do. This is a security research repository. Running it against systems you do not own or have explicit written permission to test is illegal in most jurisdictions.

Copy-paste prompts

Prompt 1
I have written permission to test a cPanel server. Walk me through running the CVE-2026-41940 PoC script against it and interpreting the output.
Prompt 2
Explain the session pre-initialization flaw in cPanel and WHM that CVE-2026-41940 exploits and what a secure session creation flow would look like instead.
Prompt 3
What WAF rules or server-side detections would catch an attempt to exploit CVE-2026-41940 via a crafted Authorization header?
Prompt 4
List the specific patched versions for each affected cPanel and WHM release that fix CVE-2026-41940 so I can verify my server is protected.
Open on GitHub → Explain another repo

← olofsatte on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.