cPanel issued advance notice to hosting operators on May 8, 2026 that three new vulnerabilities in cPanel and WHM are being patched today at 12:00pm EST. The CVE identifiers are CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. Technical details about all three are being withheld until the patch is available. The notification states that “full technical details will be published on our support page at the same time the patch is released.”
This is the second cPanel security event in ten days. CVE-2026-41940, the authentication bypass with a CVSS score of 9.8, was disclosed on April 28 and had been actively exploited since at least February 23, a 64-day window during which approximately 1.5 million internet-exposed cPanel instances had no patch available and no public advisory. The approach on May 8 is different: advance notice before the patch drops, with technical details deliberately withheld until the fix is in place.
What Is Confirmed
All three CVE identifiers are confirmed as RESERVED at the National Vulnerability Database, meaning they have been formally assigned but details are not yet public. The patch will be distributed through the standard cPanel automatic update process. cPanel strongly recommends performing a manual update using /scripts/upcp once the patch is made available rather than waiting for the automatic cycle.
For servers where automatic updates are disabled or version-pinned, the notification advises reviewing /etc/cpupdate.conf ahead of the patch window so there are no delays when it lands.
CloudLinux 6 users have a specific requirement before running the manual update: the update tier must be set to the cl6110 branch first by running:
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
Skipping this step on CloudLinux 6 servers before updating is the specific risk cPanel flagged in the advance notification.
What Is Not Yet Known
The severity, attack surface, and technical nature of CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 are not publicly available ahead of the patch. Whether any of the three involves remote exploitation, whether authentication is required, and whether any evidence of in-the-wild exploitation exists have not been disclosed. cPanel’s stated reason for withholding this information is to avoid providing a roadmap for attackers before defenders have a fix available.
That rationale is worth taking at face value given recent history. CVE-2026-41940’s technical details were known to attackers for months before hosting operators had any advisory or patch to act on. The inverse, knowing a patch is coming but not knowing what it fixes, is considerably more defensible from a risk perspective.
Context: cPanel’s Disclosure Posture Is Changing
The advance notification on May 8 represents a different posture than cPanel’s handling of CVE-2026-41940, where no public advance notice was given before the advisory, and the industry discovered the vulnerability was already being exploited in the wild. The decision to notify operators ahead of today’s patch window, while withholding technical details, gives infrastructure teams time to prepare maintenance windows, brief relevant staff, and confirm that automatic updates are configured correctly, without simultaneously publishing an exploitation guide.
Whether this approach was driven by the industry response to the CVE-2026-41940 disclosure timeline, by internal policy changes at cPanel, or by the nature of the new vulnerabilities is not clear from the available information. What is clear is that the recommended action for any cPanel operator right now is the same regardless of what the technical details turn out to be: confirm update configuration, be ready to run /scripts/upcp when the patch lands, and apply the CloudLinux 6 branch fix first if applicable.
Łukasz Nowak
Nearly two decades in IT. A decade in web hosting - and still in the trenches. Writing about the infrastructure that runs the internet from the inside.