Latest Article Changes:
05/14/26 10:46 AM CST: We have released an additional fix to the recent patch for CVE-2026-29205. The updated builds have been backported across all supported versions listed below.
Situation
Through a combination of incorrect dropping of privileges and insufficient path filtering, it was possible to read arbitrary files via certain cpdavd endpoints. This affects cPanel & WHM versions 120 and higher.
We would like to thank Shubham Shah, Adam Kues, and Patrik Grobshäuser from Assetnote for identifying and responsibly reporting this vulnerability to us.
Impact
We have released a new patch that expands upon the previous release from May 13th. We recommend updating your servers once more and confirming that you are on one of the following versions:
- 11.124.0.40 and higher
- 11.126.0.61 and higher
- 11.130.0.25 and higher
- 11.132.0.34 and higher
- 11.134.0.28 and higher
- 11.136.0.12 and higher
We have also pushed out a patch in the following WP Squared version:
- 11.136.1.15 and higher
Note: All further versions of cPanel are patched for this issue as well. Please see the latest changelogs for version information of each cPanel branch:
https://docs.cpanel.net/changelogs/
Call to Action
-
Update the cPanel version on the server to one of the versions listed above. This can be done with the following:
# /scripts/upcp --force
-
Once completed, verify the cPanel version with the following to ensure the update was successful.
# /usr/local/cpanel/cpanel -V
- If you are not able to update, then it is recommended that you block inbound traffic on ports 2079 and 2080 at the firewall until you are able to proceed with the upgrade.
Additional Information
Additional security incidents are resolved in this latest release as well. Please see the following for more information:
Comments
0 comments
Article is closed for comments.