Security Update, Affected Versions & Immediate Fix Instructions
⚠️ Critical cPanel Security Update
A vulnerability was discovered in cpsrvd that could allow insertion of arbitrary HTTP headers through an unauthenticated endpoint.
🔍 Vulnerability Overview
The issue affects cPanel & WHM version 132 and later.
Due to insufficient validation inside the cpsrvd service, attackers may inject arbitrary HTTP headers through unauthenticated requests.
While limited technical details are currently public, arbitrary header injection vulnerabilities can potentially lead to cache poisoning, security bypasses, request manipulation, and other web security risks.
🚨 Potential Impact
- Arbitrary HTTP header injection
- Unauthenticated request manipulation
- Potential cache poisoning
- Security policy bypass possibilities
- Unexpected proxy or redirect behavior
✅ Patched cPanel Versions
11.136.1.12 and higher
🛠️ How to Update cPanel
Run the following command as root to install the latest patched version:
After the update completes, verify the installed cPanel version:
🔒 Additional Security Fixes Included
This latest cPanel release also resolves additional security vulnerabilities:
🔒 Security Recommendation
Update all production cPanel servers immediately and ensure automatic updates are enabled for security releases.
📄 Official References
cPanel ChangelogsServers running outdated cPanel versions may remain vulnerable to HTTP header injection and additional undisclosed security issues fixed in the latest release.