Important Security Notice: CVE-2026-41940 & CVE-2026-31431
We are writing to inform all of our web hosting clients about two significant security vulnerabilities that were publicly disclosed on 30 April 2026. As a hosting provider, transparency and security are our top priorities. This post explains what happened, what we have done about it, and what you can do to protect yourself going forward.
What is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed security flaw in software or hardware. Each CVE is assigned a unique identifier (e.g. CVE-2026-41940) and published in a global database maintained by MITRE Corporation and the National Vulnerability Database (NVD).
When a CVE is published, it contains details about the vulnerability, which software is affected, how severe it is, and — importantly — how it can be exploited. This information is available to everyone, including attackers.
⚠️ Why Speed Matters The window between a CVE being published and attackers exploiting it can be measured in hours, not days. Automated scanning tools immediately probe the internet for unpatched systems. In this incident, attacks against our systems began within hours of the CVE announcement on 30 April 2026.
The Two Vulnerabilities
CVE-2026-41940 — cPanel & WHM Authentication Bypass (Critical)
A critical flaw in the cPanel and WHM hosting control panel software that allowed an unauthenticated attacker to bypass login entirely — gaining full administrative access to a hosting server without a username or password.
CVE-2026-31431 — Linux Kernel Local Privilege Escalation (High)
A flaw in the Linux kernel’s cryptographic subsystem that allowed a local user with limited access to escalate their privileges to root — giving them full control of the operating system.
ℹ️ Combined Impact Used together, these two vulnerabilities provided a complete attack chain: gain unauthorised access via CVE-2026-41940, then escalate to full root control via CVE-2026-31431. This is exactly the kind of chained exploit that serious attackers employ.
Why Keeping Up With Security Announcements Matters
For ISPs, hosting providers, MSPs and webmasters, staying across CVE announcements is not optional — it is a fundamental responsibility.
You are responsible for more than just your own data Hosting providers and MSPs hold the keys to dozens or hundreds of client websites, email accounts, and databases. A single unpatched vulnerability on a shared server can expose every client on that server simultaneously.
Attackers move faster than most realise Automated vulnerability scanners constantly probe the internet. Within minutes of a CVE being published, tools are updated and scanning begins. Providers that patch within hours are protected; those that wait days or weeks are exposed during that entire window.
The consequences cascade A compromised server is not just a technical problem. It can result in data breaches, spam being sent from your domain, SEO blacklisting, client data theft, and significant reputational damage — all flowing from a single unpatched flaw.
What Can Happen When Vulnerabilities Are Not Patched
- 🔓 Unauthorised Access — Attackers gain full control of servers, websites, and databases without needing a password.
- 💉 Malware Injection — Malicious code is planted across websites — often invisible to the site owner but actively running.
- 📤 Data Exfiltration — Database passwords, customer data, and credentials are silently sent to attacker-controlled servers.
- 📧 Spam & Phishing — Compromised servers are used to send thousands of spam or phishing emails, damaging your domain reputation.
- 🌐 Website Defacement — Attackers replace or modify website content, redirect visitors, or take sites completely offline.
- 📉 SEO & Reputation Damage — Google and browsers blacklist compromised sites, destroying search rankings and visitor trust.
- 💸 Financial & Legal Exposure — Data breach obligations, client notifications, and potential liability under privacy legislation.
- 🔄 Persistent Backdoors — Attackers install self-replicating backdoors that survive reboots and are difficult to detect or remove.
What Approved Systems Has Done
As soon as these vulnerabilities were identified on our systems, our team worked around the clock to contain, remediate, and harden every aspect of our hosting infrastructure.
✅ Patched CVE-2026-41940 — cPanel upgraded to version 11.118.0.63, closing the authentication bypass.
✅ Mitigated CVE-2026-31431 — The vulnerable kernel module has been disabled as an interim measure pending the official kernel patch release.
✅ Removed all malware — A thorough sweep identified and removed all planted malware files, backdoors, and malicious scripts across every hosted account.
✅ Restored all WordPress core files — Every WordPress installation across our servers had its core files verified against official checksums and restored to clean versions.
✅ Cleaned all configuration files — Backdoor code injected into WordPress configuration files was identified and removed from all affected sites.
✅ Rotated database credentials — Passwords for databases on affected accounts have been changed to prevent ongoing unauthorised access.
✅ Blocked attacker IP addresses — Known attacker IPs have been permanently blocked at the firewall level.
✅ Discovered and cleaned pre-existing infections — During our investigation we uncovered malware infections on a number of hosted websites that appear to predate this current exploit. While we cannot confirm these were directly linked to CVE-2026-41940, we took the opportunity to clean and restore all affected sites as part of our remediation work. These infections may have gone unnoticed for some time and serve as a reminder of how important regular security scanning is for any website.
✅ Reset all WordPress admin passwords — As a precautionary measure, WordPress administrator passwords for all hosted client sites have been reset. We are contacting each client individually to deliver new credentials securely.
✅ Current Status All hosted websites are operational. All known threats have been removed. Our systems are patched and hardened. We are continuing to monitor for any residual activity and will provide further updates if needed.
A Note on Password Security
This incident is a timely reminder that password hygiene is one of the most important — and most overlooked — aspects of online security.
- Use a reputable password manager. Tools like Bitwarden, 1Password, Dashlane, or KeePassXC generate and store strong, unique passwords for every account — so you only need to remember one master password.
- Never store passwords in a plain text file. A .txt file, Word document, spreadsheet, or sticky note is not secure storage. If your device is compromised, every password is exposed instantly.
- Use a unique password for every account. Reusing passwords means a breach of one service exposes all others. Password managers make this effortless.
- Make passwords long and random. Aim for at least 16 characters. A password manager will generate these for you.
- Enable two-factor authentication (2FA) wherever possible. Even if a password is compromised, 2FA prevents unauthorised access without a second verification step.
- Change passwords promptly after any security incident. If you believe your credentials may have been exposed, change them immediately.
Recommended Password Managers: Bitwarden (free & open source) · 1Password · Dashlane · KeePassXC (offline) · NordPass
Questions or Concerns?
If you have not yet received your new credentials, or have any questions about this security incident, please contact our support team — we are happy to walk you through the process.