This module verifies CVE-2026-41940, an authentication bypass vulnerability affecting cPanel and WHM. The issue can be triggered by injecting CRLF-controlled values through an HTTP Basic Authorization header, allowing a pre-authenticated WHM session file to be poisoned and later accepted as an authenticated root WHM session. The module first discovers the canonical cPanel hostname, requests a pre-authenticated WHM session cookie, sends the crafted Authorization payload with that session cookie, and extracts the resulting cpsess token from the WHM redirect. After obtaining the cpsess token, the module triggers WHM session propagation and verifies the bypass by reaching the authenticated WHM JSON API version endpoint. Successful access to that endpoint confirms that authenticated WHM API access was reached through the bypass. Once verified, the module attempts to create a cPanel account using the USERNAME, PASSWORD, and DOMAIN parameters. If those values are not provided, the module generates safe defaults for the username, password, and domain. Successfully created credentials are stored in an Impact Identity for later use. If the LIST USERS parameter is enabled, the module also queries WHM json-api/listaccts and reports the cPanel usernames returned by the target.
CVE Link
Product Name