cPanel has issued security patch for three vulnerabilities within its cPanel/WHM software that may allow attackers to read arbitrary files, execute Perl scripts, and escalate their privileges via unsafe symlink handling.
These three cPanel/WHM privilege escalation vulnerabilities have been identified with CVEs CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, and affect a wide range of cPanel versions, on many different major release branches.
Although there is currently no evidence that these specific cPanel/WHM privilege escalation vulnerabilities have been exploited in the wild, this announcement was made just days after the announcement of another severe cPanel vulnerability (CVE-2026-41940) being weaponized as a zero-day by criminals to deliver variants of the Mirai botnet and also a new version of ransomware known as Sorry.
CVE-2026-29201: Arbitrary File Read
The first cPanel WHM escalation vulnerability being tracked as CVE-2026-29201 has a Moderate CVSS rating of 4.3. This vulnerability relates to the administration feature, specifically with respect to the validation of input data in regard to the file name associated with the feature::LOADFEATUREFILE adminbin call.
An attacker who successfully exploits this vulnerability would have the ability to read arbitrary files from a cPanel WHM system, and while the CVSS rating is not significant, an attacker could potentially obtain sensitive information (e.g. configuration files, API keys, database user credentials).
The cPanel WHM privilege escalation vulnerability is the result of the adminbin call blind to the file name being passed to the LOADFEATUREFILE method. This will allow authenticated malicious users to accidentally make the incorrect file name reference to perform directory traversal to allow them to read files that they would otherwise not be able to.
CVE-2026-29202: Arbitrary Code Execution in Perl
The second cPanel WHM Privilege escalation Vulnerability tracked as CVE-2026-29202 has a far greater impact, given its high severity rating of 8.8 (CVSS), compared to the previous issue. The problem with this bug comes from not having enough validation checks on the plugin definition in the Create_user API call.
An authenticated attacker can exploit cPanel WHM Privilege escalation Vulnerability by running any kind of Perl code on behalf of the compromised account's system user and will subsequently gain access to that account as if they have been authenticated. Running arbitrary Perl Code on a cPanel server is very risky; because cPanel itself uses Perl as its programming language and most of the other administrative functions are handled by Perl scripts.
It is therefore possible that after an attacker has gained the ability to run arbitrary Perl code, they will be able to manipulate virtually every aspect of the hosting environment.
Using the Create_user API call, an attacker can inject their own malicious Perl code into the plugin definition parameter for the Create_user API call that does not require any sanitization or other validation of the input before it is passed to the Perl interpreter.
CVE-2026-29203: Unsafe Symlink Handling
The third vulnerability in the WHM privilege escalation from cPanel is a high-severity CVE-2026-29203. Attackers can exploit symlinks (symbolic links) to gain elevated privilege access within WHM through an inherent design flaw in how cPanel handles symlinks.
Using a symlink vulnerability, an attacker can create a symbolic link to a sensitive file using cPanel, then use cPanel's chmod functionality to modify this file's permissions.
Changing the permission of a critical file on the system through cPanel could cause a denial-of-service condition (making the system unresponsive) or allow an attacker to escalate their privileges and take control of the server through modifying the permission of setuid binaries or SSH configuration files.
Affected Versions
The cPanel WHM privilege escalation vulnerabilities affect a wide range of cPanel and WHM versions, and the patches have been released across multiple release branches.
Patched cPanel and WHM versions include:
11.136.0.9 and higher
11.134.0.25 and higher
11.132.0.31 and higher
11.130.0.22 and higher
11.126.0.58 and higher
11.124.0.37 and higher
11.118.0.66 and higher
11.110.0.116 and higher
11.110.0.117 and higher
11.102.0.41 and higher
11.94.0.30 and higher
11.86.0.43 and higher
For WP Squared users, patched version 11.136.1.10 and higher addresses the cPanel WHM privilege escalation vulnerabilities, and cPanel has also released version 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6.
If your cPanel version is lower than any of these patched versions, your server is vulnerable to one or more of the cPanel WHM privilege escalation vulnerabilities.
The Zero-Day Connection
The cPanel WHM privilege escalation vulnerabilities disclosure comes at a concerning time because another critical cPanel flaw (CVE-2026-41940) was recently weaponized as a zero-day by threat actors.
That separate vulnerability was used to deliver Mirai botnet variants and a ransomware strain called Sorry, and this demonstrates that attackers are actively targeting cPanel servers and watching for new vulnerabilities to exploit.
While the cPanel WHM privilege escalation vulnerabilities have not been observed in the wild yet, past experience shows that attackers often reverse-engineer patches to understand the underlying flaws, and then they develop exploits for unpatched servers.
Who Is Affected
The cPanel WHM privilege escalation vulnerabilities affect any server running cPanel and WHM with an unpatched version, and this includes shared hosting providers, reseller hosting accounts, and dedicated servers managed with cPanel.
If you are a website owner using a shared hosting provider, your provider is responsible for patching the cPanel WHM privilege escalation vulnerabilities, but you should confirm with them that updates have been applied.
If you manage your own cPanel server, you are directly responsible for applying these patches, and delaying the update leaves your server exposed to potential attacks.
How to Patch
Updating cPanel is straightforward for server administrators, log into WHM as root, navigate to the cPanel update interface, and install the latest available version.
You can also update from the command line by running /scripts/upcp or using the whmapi1 update_cpanel command, and after updating you should verify that your version matches or exceeds the patched versions listed above.
The cPanel WHM privilege escalation vulnerabilities are fixed in the patches, and there is no workaround that fully mitigates these issues without updating.
Potential Impact
If the cPanel WHM privilege escalation vulnerabilities are not patched, then severe implications will occur if there is a breach.
An attacker can also read any other file on the server using the CVE-2026-29201 flaw. This includes config files with database passwords, API keys to cloud-based services, or SSL private keys.
CVE-2026-29202 allows arbitrary Perl code execution, and this is the most dangerous of the cPanel WHM privilege escalation vulnerabilities because Perl code can do almost anything on a cPanel server, including creating new administrative users, modifying website content, and installing backdoors.
CVE-2026-29203 allows permission modification via symlink attacks, and an attacker could change permissions on critical system files to gain write access where they should only have read access, or they could break the system entirely causing denial-of-service.
No Active Exploitation Yet
cPanel has stated that there is no evidence the cPanel WHM privilege escalation vulnerabilities have been exploited in the wild at the time of disclosure, but this is cold comfort because the vulnerabilities are now public.
Security researchers and attackers alike can study the patch to understand exactly how to exploit the cPanel WHM privilege escalation vulnerabilities, and the window between patch release and active exploitation is often measured in days or hours.
The recent zero-day exploitation of CVE-2026-41940 shows that threat actors are actively targeting cPanel, and they will likely add these cPanel WHM privilege escalation vulnerabilities to their arsenal soon.
How to Protect Your Server
The cPanel WHM privilege escalation vulnerabilities are serious, but you can protect your server.
1. Update immediately. Run the cPanel update process today, do not wait for a scheduled maintenance window, the cPanel WHM privilege escalation vulnerabilities are already public knowledge.
2. Confirm your Version. After you've updated your cPanel, confirm that its cPanel version matches or has been updated to at least one of the versions listed above and, by running cat /usr/local/cpanel/version from your command line interface, you can confirm this.
3. Audit User Accounts. In order to exploit each of the cPanel WHM privilege escalation vulnerabilities, an authenticated user would have to be logged in, so you should audit the cPanel and WHM users and look for any users who you suspect may be unauthorized or inactive.
4. Monitor for Strange Actions. There are some things that should be looked for that would indicate an individual is abusing the cPanel WHM software such as unexpected feature::LOADFEATUREFILE adminbin calls, strange create_user API requests with suspicious plugin variables, and unexpected chmod actions on the system files.
5. Apply principle of least privilege. The cPanel WHM privilege escalation vulnerabilities allow attackers to act within the permissions of the compromised account, so limit what each cPanel user can do and use separate accounts for different purposes.
The Sorry Ransomware Connection
The timing of the cPanel WHM privilege escalation vulnerabilities disclosure is noteworthy because of the recent zero-day attack delivering Sorry ransomware.
Sorry ransomware is a relatively new strain, and its operators have been actively targeting cPanel servers through CVE-2026-41940, and they deploy Mirai botnet variants alongside the ransomware for maximum impact.
If attackers can chain these cPanel WHM privilege escalation vulnerabilities with other exploits, they could gain initial access through one vector and then escalate privileges using another, leading to complete server compromise.
Final Thoughts
The cPanel WHM privilege escalation vulnerabilities are three distinct flaws in one of the world's most popular hosting control panels, and they range from medium to high severity.
CVE-2026-29201 allows arbitrary file reading, CVE-2026-29202 allows arbitrary Perl code execution, and CVE-2026-29203 allows unsafe symlink handling, and together they represent a significant risk to unpatched cPanel servers.
The cPanel WHM privilege escalation vulnerabilities are fixed now, but the fix only works if you apply it, and with attackers actively targeting cPanel (as seen with the recent zero-day delivering Sorry ransomware), delaying your update is a gamble.
Check your cPanel version today, update if needed, and verify that your server is running a patched release, because the next wave of attacks is likely already being prepared.
FAQ Section
Q1: What cPanel versions are affected by CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203?
The cPanel WHM privilege escalation vulnerabilities affect a wide range of versions including 11.86 through 11.136, and patched versions include 11.136.0.9, 11.134.0.25, 11.132.0.31, 11.130.0.22, 11.126.0.58, and many others, check cPanel's official advisory for the complete list.
Q2: Have the cPanel WHM privilege escalation vulnerabilities been exploited in the wild?
As of the disclosure, cPanel stated there is no evidence that CVE-2026-29201, CVE-2026-29202, or CVE-2026-29203 have been exploited in the wild, but another cPanel zero-day (CVE-2026-41940) was recently used to deliver Mirai botnets and Sorry ransomware.
Q3: What is the most severe of the three cPanel WHM privilege escalation vulnerabilities?
CVE-2026-29202 with a CVSS score of 8.8 is the most severe because it allows arbitrary Perl code execution via the create_user API call, and an attacker who can execute Perl code can compromise the entire cPanel installation.
Q4: Will servers without Symlinks be impacted by CVE-2026-29203?
CPanel’s chmod functionality has a vulnerability with the appropriate handling of Symlinks (CVE-2026-29203). This leaves all server types, including those that do not use Symlinks, vulnerable to exploitation via maliciously crafted Symlinks.
Q5: Do website owners have the ability to patch cPanel vulnerabilities?
Dependent upon your hosting provider; only your host has the ability to update both cPanel and WHM. If possible, contact your hosting provider to confirm that they have patched both programs. If you manage your own server (and have access to the CPanel interface), run the cPanel update immediately.
