cPanel and WHM emergency update fixes critical authentication bypass bug

cPanel and WHM administrators are being urged to patch immediately after cPanel released an emergency update for a critical authentication bypass vulnerability on April 29, 2026. Hosting providers began responding quickly, with Namecheap temporarily blocking ports 2083 and 2087 to reduce exposure while customers update affected systems.

Context

The incident centers on a severe authentication bypass issue affecting cPanel and WHM deployments. Although direct retrieval of the official advisory is unavailable in this workflow, cPanel published a security bulletin addressing the flaw and released patched builds across multiple supported branches.

Details

The fixed versions listed for the emergency release are 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. Administrators are advised to force the update process with the command /scripts/upcp --force and verify that systems move onto the corrected branch version without delay.

Provider response

Namecheap temporarily blocked inbound access to ports 2083 and 2087, commonly used for cPanel and WHM, as a defensive measure during the response window. That step highlights the seriousness of the bug and the likelihood of active concern across shared hosting and managed server environments.

Implications

Any authentication bypass in a control panel as widely deployed as cPanel can create outsized risk, including unauthorized administrative access, downstream account compromise, and rapid cross-tenant impact in hosting environments. Teams should patch immediately, review access logs, confirm exposure on internet-facing management ports, and coordinate with upstream providers if temporary network restrictions remain in place.

Source attribution

This report is based on BleepingComputer's coverage of the emergency fix, while noting that cPanel also published a security bulletin and hosting providers such as Namecheap enacted temporary safeguards during the rollout.