A newly identified bug in cPanel is drawing urgent attention across the web hosting industry, with security researchers warning that attackers are already attempting to exploit it in the wild. The flaw affects cPanel and WebHost Manager, two widely used tools that sit at the core of how millions of websites are managed globally.

The issue is being tracked as CVE-2026-41940 and has been described as an authentication bypass vulnerability. In simple terms, it allows a remote attacker to skip the login process entirely and gain administrative access to the system. Given the level of control cPanel holds over server operations, the implications are serious.

cPanel software is not a peripheral tool. It governs website files, email systems, databases, and server configurations. Once inside, an attacker would effectively have unrestricted access to sensitive data and the ability to manipulate or shut down services.

Security agencies have already raised concern about the scale of potential exposure. Canada’s national cybersecurity authority said exploitation is highly probable and urged immediate action, especially for shared hosting environments where multiple websites run on the same server. In such setups, a single breach could affect numerous sites at once.

There are signs that this vulnerability may not be entirely new to attackers. One hosting provider reported seeing suspicious activity linked to the flaw as early as February. While those attempts did not lead to confirmed compromises, they suggest that the weakness may have been quietly probed before becoming publicly known.

Major hosting companies have responded quickly. Some temporarily restricted access to cPanel interfaces while deploying fixes, a move aimed at limiting exposure during patching. Others have confirmed that updates have already been applied across their systems.

The developers behind cPanel have issued patches and are urging all users and hosting providers to ensure their systems are updated without delay. The warning applies to all supported versions of the software, underscoring the breadth of the issue.

For website owners, much of the responsibility now falls on their hosting providers. Those using managed hosting services may already be protected, but independent server operators will need to act directly.

The situation remains fluid, with no confirmed large-scale breaches reported so far. Even so, the nature of the flaw and its widespread reach have made it one of the more concerning security developments in recent months.