Detect CVE-2026-41940: WebPros cPanel & WHM / WP2 Missing Authentication for Critical Function in Google Chronicle
CVE-2026-41940 is an actively exploited missing authentication vulnerability (CWE-306) in WebPros cPanel & WHM and WP2 (WordPress Squared). Unauthenticated remote attackers can invoke critical administrative functions without valid credentials, enabling account takeover, malicious plugin installation, privilege escalation, and full server compromise. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_41940_cpanel_missing_auth {
meta:
author = "df00tech Detection Engineering"
description = "Detects unauthenticated exploitation of CVE-2026-41940 - WebPros cPanel & WHM and WP2 missing authentication for critical administrative functions"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1190"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method = /GET|POST/
(
$e.network.http.target_url = /\/json-api\// or
$e.network.http.target_url = /\/execute\// or
$e.network.http.target_url = /\/xmlapi\// or
$e.network.http.target_url = /\/wp-json\//
)
(
$e.network.http.target_url = /createacct/ or
$e.network.http.target_url = /removeacct/ or
$e.network.http.target_url = /passwd/ or
$e.network.http.target_url = /addpkg/ or
$e.network.http.target_url = /installplugin/ or
$e.network.http.target_url = /createuser/
)
$e.network.http.response_code >= 200
$e.network.http.response_code < 400
not $e.network.http.request_headers["authorization"] != ""
$e.principal.ip = $src_ip
condition:
$e
}Chronicle YARA-L rule detecting unauthenticated HTTP requests to cPanel & WHM and WP2 critical administrative API endpoints consistent with CVE-2026-41940 exploitation. Fires on successful responses to sensitive functions lacking an authorization header.
Data Sources
Required Tables
False Positives & Tuning
- cPanel API token authentication may use X-CPANEL-API-TOKEN headers not captured as standard Authorization header
- Backend service-to-service cPanel calls from trusted internal ranges that omit Authorization in favor of IP allowlisting
- Automated WordPress plugin update workflows in WP2 that use cookie sessions not visible in header inspection
Other platforms for CVE-2026-41940
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-41940 Unauthenticated cPanel Account Creation via JSON API
Expected signal: HTTP POST request to /json-api/createacct on port 2086 with HTTP 200 response and no Authorization header in web server access logs; corresponding cPanel audit log entry for account creation
- Test 2CVE-2026-41940 Unauthenticated Password Change via WHM XMLAPI
Expected signal: HTTP GET request to /xmlapi/passwd on port 2086 with HTTP 200 response visible in cPanel access logs; no session cookie or API token in request headers; cPanel audit log records password change event
- Test 3CVE-2026-41940 Unauthenticated WP2 Plugin Installation via WordPress REST API
Expected signal: HTTP GET and POST requests to /wp-json/wp/v2/plugins with HTTP 200/201 responses in web server access logs; WordPress debug log records plugin installation event; file system activity shows new directory creation under wp-content/plugins/
Unlock Pro Content
Get the full detection package for CVE-2026-41940 including response playbook, investigation guide, and atomic red team tests.