Impact statement: cPanel published a May 13, 2026 security update for cPanel & WHM and WP Squared covering five high-severity CVEs: CVE-2026-29205, CVE-2026-29206, CVE-2026-32991, CVE-2026-32992, and CVE-2026-32993. These issues matter most on shared hosting, reseller hosting, agency hosting, student hosting, and any WHM server where people outside your own company can log in or where DNS clustering is used.
If you run a single-owner VPS with no untrusted cPanel users, one part of this update may be less urgent than it is on public shared hosting. Do not skip the patch, though. The cluster includes control-panel file-access, database-utility, team-account, DNS-cluster, and response-handling weaknesses. A hosting control panel is a trust boundary; once that boundary gets blurry, customer isolation and administrator confidence both take a hit.
May 14 update: cPanel updated the CVE-2026-29205 advisory after releasing an additional fix to the May 13 patch. If you patched early, run the update again and confirm your branch is at or above the newer fixed build listed below. This matters for servers using cpdavd/Web Disk, CalDAV/CardDAV, webmail-heavy workflows, and shared-hosting account separation.
What Was Fixed
| CVE | Public severity | Plain-English risk | Who should prioritize |
|---|---|---|---|
| CVE-2026-29205 | High, CVSS 8.6 | File-access controls around cPanel-served attachments could expose files that should stay private. | Shared hosting, webmail-heavy servers, and servers with many delegated accounts. |
| CVE-2026-29206 | High, CVSS 8.1 | An internal SQL optimization utility could process unsafe database input when slow query logging is enabled. | Database-heavy hosting nodes and servers where MySQL or MariaDB slow query logging is enabled. |
| CVE-2026-32991 | High, CVSS 7.1 | Team-account permission checks could allow a lower-trust team member to gain owner-level control. | Agencies, resellers, and any account using cPanel Team Manager. |
| CVE-2026-32992 | High, CVSS 8.2 | DNS cluster trust validation could allow credential exposure if a malicious or intercepted cluster peer is involved. | DNS-only clusters, hosting fleets, and providers syncing zones across multiple nodes. |
| CVE-2026-32993 | High, CVSS 8.3 | An unauthenticated error-response handling flaw could allow response header injection. | Any internet-facing cPanel & WHM or WP Squared system. |
Affected Servers
cPanel’s May 13 security articles cover multiple supported cPanel & WHM release branches and WP Squared. Treat the following systems as in scope until you confirm a May 14 or newer fixed build for your branch:
- Public WHM/cPanel shared-hosting and reseller-hosting servers.
- WHM servers with customer, agency, developer, or contractor cPanel accounts.
- Servers using cPanel Team Manager for delegated access.
- Servers using cPanel DNS clustering, including DNS-only nodes.
- WP Squared systems on the May 13 affected branch.
- Servers pinned to old release tiers, legacy CloudLinux/CentOS branches, or frozen update policies.
Branches reported in the May 13 release stream include cPanel & WHM 86, 94, 102, 110, 110 CloudLinux 6, 118, 124, 126, 130, 132, 134, 136, and WP Squared. Always compare your server against the matching cPanel support article for the branch you run.
| Branch | Confirm at or above |
|---|---|
| cPanel & WHM 11.124 | 11.124.0.40 |
| cPanel & WHM 11.126 | 11.126.0.61 |
| cPanel & WHM 11.130 | 11.130.0.25 |
| cPanel & WHM 11.132 | 11.132.0.34 |
| cPanel & WHM 11.134 | 11.134.0.28 |
| cPanel & WHM 11.136 | 11.136.0.12 |
| WP Squared 11.136 | 11.136.1.15 |
Patch WHM/cPanel Now
Run the update from a root shell during a window where you can watch services. cPanel updates normally restart control-panel services, and web traffic should usually keep serving unless the server also has package, repository, or system-level maintenance pending.
# Check the current cPanel & WHM build before the update.
/usr/local/cpanel/cpanel -V
# Confirm the update tier is not pinned somewhere unexpected.
grep -E '^(CPANEL|RPMUP|SARULESUP)=' /etc/cpupdate.conf
# Pull the May 13 security update, including the May 14 CVE-2026-29205 follow-up fix.
/scripts/upcp --force
# Confirm the build changed or already meets the fixed branch level for your branch.
/usr/local/cpanel/cpanel -V
# Repair any cPanel RPM drift before closing the ticket.
/scripts/check_cpanel_rpms --fixIf the server patched right when mirrors were still catching up, run the version check again. If it is still below the May 14 fixed build for your branch, review /etc/cpupdate.conf, repository health, package exclusions, local mirrors, and any automation that pins cPanel updates.
Service Restarts To Verify
# Restart and verify core cPanel services after patching.
/scripts/restartsrv_cpsrvd
/scripts/restartsrv_cpdavd
# DNS cluster users should also verify DNS service health.
/scripts/restartsrv_named
# Check recent update logs for failures.
tail -n 80 /var/cpanel/updatelogs/update.* 2>/dev/nullDo not close the work just because /scripts/upcp exits. Confirm WHM login, customer cPanel login, webmail, Web Disk/CalDAV/CardDAV if used, DNS clustering, team-account access, and at least one hosted site per major server role.
DNS Cluster Checklist
- Patch every DNS-only and full WHM node in the cluster.
- Confirm cluster peers are expected systems and not stale entries from old migrations.
- Rotate cluster trust credentials if a peer was unknown, decommissioned, or temporarily exposed.
- Test one non-critical zone update after patching and verify it syncs to the intended nodes.
- Keep WHM and DNS-cluster management behind trusted administrator networks wherever possible.
Log Review
After patching, review a narrow window around the disclosure and maintenance period. Look for unusual control-panel access, failed service restarts, unexpected cPanel team changes, DNS cluster changes, and odd Web Disk or webmail behavior.
# Control-panel access and errors.
tail -n 200 /usr/local/cpanel/logs/access_log
tail -n 200 /usr/local/cpanel/logs/error_log
# cpdavd/Web Disk related service errors.
tail -n 200 /usr/local/cpanel/logs/cpdavd_error_log 2>/dev/null
# DNS and system context.
tail -n 200 /var/log/messages 2>/dev/nullFor database-heavy servers, also confirm whether MySQL or MariaDB slow query logging is enabled and review the database log path through your normal administration process. The goal is not to panic over noisy logs; it is to catch configuration drift, failed maintenance, or signs that a customer account behaved outside its normal pattern.
Customer Communication
For managed customers, keep the wording simple: cPanel released a May 13 security update, control-panel services may briefly restart, and hosted websites should remain online unless a server also needs broader OS maintenance. For self-managed VPS and reseller customers, tell them to run cPanel updates manually, verify their branch, and open a support ticket if their server is pinned below the fixed release.
CDN And WAF Note
A CDN or WAF can help reduce exposure around public web traffic, but it cannot replace a WHM/cPanel update. The CDN side should review whether any customer exposes cPanel, WHM, webmail, Web Disk, or DNS-management traffic through edge routes and prefer allowlisting, VPN-only administration, or challenge mode for management surfaces.
Sources
- cPanel support article for CVE-2026-29205
- cPanel support article for CVE-2026-29206
- cPanel support article for CVE-2026-32991
- cPanel support article for CVE-2026-32992
- cPanel support article for CVE-2026-32993
- NVD: CVE-2026-29205
- NVD: CVE-2026-29206
- NVD: CVE-2026-32991
- NVD: CVE-2026-32992
- NVD: CVE-2026-32993
Need help checking a WHM/cPanel server, DNS cluster, or reseller hosting node? Open a ticket through Help4Network.com.
