Impact statement: cPanel published May 8, 2026 security updates for CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 affecting cPanel & WHM and WP Squared. These are not the same as the late-April cPanel authentication-bypass issue. They are authenticated-user risks, which still matters a lot on shared hosting because a normal hosting account should never be able to cross account boundaries, read sensitive files, run unsafe server-side code paths, or change permissions outside its lane.
If you operate a single-owner VPS with no untrusted hosting users, the urgency is lower than a public shared-hosting node. If you run shared hosting, reseller hosting, student hosting, agency hosting, or any server where customers receive cPanel accounts, treat this as a fast patch item.
What The May 8 cPanel Update Fixes
- CVE-2026-29201: an authenticated cPanel path could expose files that should not become readable.
- CVE-2026-29202: an authenticated cPanel action could run server-side Perl in the context of that already-authenticated account.
- CVE-2026-29203: unsafe symlink handling could allow permission changes that create denial-of-service or local privilege-escalation risk.
That combination is exactly why hosting providers should care. These issues are not described as unauthenticated remote takeover in cPanel’s May 8 articles, but they do affect the trust boundary between a hosting account and the server.
Patched cPanel And WP Squared Versions
cPanel lists the following cPanel & WHM versions as patched for these May 8 issues:
- 11.136.0.9 and higher
- 11.134.0.25 and higher
- 11.132.0.31 and higher
- 11.130.0.22 and higher
- 11.126.0.58 and higher
- 11.124.0.37 and higher
- 11.118.0.66 and higher
- 11.110.0.116 and higher
- 11.110.0.117 and higher
- 11.102.0.41 and higher
- 11.94.0.30 and higher
- 11.86.0.43 and higher
cPanel also lists WP Squared 11.136.1.10 and higher as patched. The cPanel 132 change log records all three fixes in 132.0.31.
Patch WHM/cPanel
Run this from a root shell during a maintenance window. The update may restart cPanel services, and a busy hosting node should have monitoring watched during and after the run.
/usr/local/cpanel/cpanel -V
grep '^CPANEL=' /etc/cpupdate.conf 2>/dev/null || true
/scripts/upcp --force
/usr/local/cpanel/cpanel -V
/scripts/restartsrv_cpsrvd --restart
/scripts/restartsrv_queueprocd --restart
If the version still does not meet the patched level for your branch, check the update tier, package exclusions, local mirrors, and any maintenance policy that pins cPanel. For CentOS 6 or CloudLinux 6 legacy systems, cPanel published a special direct-update note. Those systems should be treated as emergency migration candidates, not long-term hosting platforms.
Shared Hosting Priority
On shared hosting, an authenticated-user issue can become a real business problem because a low-value hosting account may sit beside higher-value customer sites, databases, mailboxes, and backups. Patch the public shared nodes first, then reseller nodes, then internal-only panels, then lab and staging boxes.
Safe Verification Checklist
- Confirm the cPanel version meets the patched branch level with
/usr/local/cpanel/cpanel -V. - Confirm WHM loads normally after the update.
- Confirm customer cPanel login, File Manager, WordPress Toolkit or WP Squared, email account management, and backups still behave normally.
- Check cPanel update logs for failed package steps or held repositories.
- Review hosting account ownership and permission changes around the maintenance window.
- Make sure the node is still included in monitoring, backups, malware scanning, and customer inventory.
ls -1t /var/cpanel/updatelogs/update* 2>/dev/null | head
tail -n 200 /usr/local/cpanel/logs/error_log
find /home -maxdepth 2 -xdev -type l -ls 2>/dev/null | head
The symlink review is a defensive spot check, not a verdict by itself. Shared hosting naturally contains symlinks, so investigate context before taking customer-impacting action.
Customer Communication
For managed customers, explain that cPanel and WP Squared security updates are being applied, that control-panel services may briefly restart, and that hosted websites should remain online unless the server needs broader maintenance. For self-managed VPS or reseller customers, tell them to confirm they are on the patched cPanel branch and to open a support ticket if their update tier is pinned below the fixed release.