cPanel & WHM Security Advisory: CVE-2026-29201, CVE-2026-29202, CVE-2026-29203
A new security vulnerability has been identified in cPanel & WHM through a trusted disclosure source. The cPanel engineering team is actively developing patches and has issued an early advisory so administrators can prepare servers ahead of patch availability.
To protect customers prior to patch release, full technical details will be published on the cPanel support page at the same time the patch is made available — not before.
CVE Identifiers
CVE-2026-29201CVE-2026-29202CVE-2026-29203
Patch Release & Affected Versions
The patch will be available on May 08 at 12:00 PM EST and distributed through:
- The standard cPanel automatic update process
- The manual update process via
/scripts/upcp
Recommendation: Perform a manual update with /scripts/upcp as soon as the patch is released rather than waiting for the automatic update window.Patched Versions
| Version Branch | Patched Build |
|---|---|
| Refer to the official cPanel advisory screenshot for exact patched build numbers | — |
⚠️ If you are running an unsupported version of cPanel & WHM not listed in the official advisory, update to the latest version using /scripts/upcp.Prepare Now
- Identify affected servers. Review all servers running the affected version branches listed in the official advisory.
- Check the update configuration. For servers where automatic updates are disabled or version-pinned, review
/etc/cpupdate.confnow so there are no delays when the patch lands. - Brief your team. If your environment requires a maintenance window, notify the relevant stakeholders in advance so they are ready to act.
- Manual update. If your team wishes to update impacted servers before the automatic update is triggered, run:
/scripts/upcp
once the patch is made available.
⚠️ Note for CloudLinux 6 Users
Before manually updating, set the update tier to the cl6110 branch:
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
Then run:
/scripts/upcp
Next Steps
cPanel will follow up the moment the patch is live with full technical details and remediation steps. Monitor the official cPanel support page and your registered notification email for the release announcement.
Pre-Patch Hardening Recommendations from Servarat
While waiting for the patch, consider tightening exposure on WHM/cPanel-facing services:
- Restrict WHM (
:2087), cPanel (:2083), and Webmail (:2096) ports at the firewall (CSF/UFW) to known admin IPs where feasible. - Verify
cphulkdbrute-force protection is active and thresholds are sane. - Review
/var/cpanel/logs/and/usr/local/cpanel/logs/for any anomalous access patterns ahead of patching. - Confirm root SSH key-only auth and 2FA on WHM are enforced.
- Take a fresh configuration backup (
/var/cpanel/,/etc/cpupdate.conf, custom scripts) before running/scripts/upcp.
