We are writing to inform you of an important security action being taken across our hosting infrastructure in response to a critical vulnerability disclosed by cPanel on April 29, 2026.
About the vulnerability
Cpanel Disclosed CVE-2026-41940 , an authentication bypass vulnerability rated 9.8/10 (Critical) that affects all supported versions of cPanel & WHM. The flaw could allow unauthorised access to cPanel and WHM interfaces, and exploitation activity has been observed in the wild prior to public disclosure.
What we have doneAs soon as the patch was released by cPanel, we applied the security update across our entire
server fleet. Patching alone, however, is not sufficient — any sessions, passwords, or API tokens that may have been exposed during the pre-disclosure period must also be invalidated.
Out of an abundance of caution, we are therefore taking the following additional steps on every
server:
- Purging all active cPanel and WHM sessions— all currently logged-in users will be signed out and asked to log in again.
- Revoking all cPanel and WHM API tokens— every API token currently configured on our servers will be removed.
- Force-resetting all cPanel and WHM passwords— all account passwords are being rotated.
What this means for you
Please review the actions you may need to take:
- Setting your new password.You can set a new password for your cPanel account or reseller WHM account at any time from your. We recommend doing this at your earliest convenience so you can continue accessing your hosting interface without interruption.
- Re-creating API tokens.If you use any external integration that connects to your hosting account using an API token — including WHMCS, backup tools, monitoring services, or custom scripts — that integration will stop working until you generate a new API token from within your cPanel or WHM account and update it in the connecting application. The most common case is WHMCS server connections, which will need a new token configured in WHMCS → Setup → Servers.
- Webmail access.Active webmail sessions will be signed out as part of the session purge. Users can log back in normally with their existing email passwords (which are not affected by this action).
For our reseller clients
If you operate a reseller account with us, please notify your end users about this change. Your customers will be signed out of cPanel, will need to set new passwords, and will need to re-create any API tokens they have configured in third-party applications. We have prepared this notice in a format you may adapt and forward to your own customers if helpful.
Need help?
If you have any questions, encounter issues setting your new password, or need assistance reconnecting WHMCS or another integration, please open a support ticket through your client portal and our team will assist you promptly.
We sincerely apologise for the inconvenience these precautions cause and thank you for your understanding. The security of your hosting environment is our highest priority, and these measures are being taken to protect it.
