⚠️ Critical Security Vulnerability
A vulnerability identified as CVE-2026-29205 affects the cpdavd service in cPanel & WHM versions 120 and higher.
📢 Additional Patch Released
On May 14, 2026, cPanel released an additional fix expanding upon the original patch from May 13, 2026. Administrators are strongly advised to update their servers again to ensure complete protection.
🔍 Vulnerability Overview
cPanel discovered that incorrect privilege dropping combined with insufficient path filtering inside certain cpdavd endpoints could allow arbitrary file reads.
Attackers may exploit this issue to access sensitive files on the server under specific conditions.
The vulnerability impacts systems running cPanel & WHM 120 and later.
🚨 Potential Impact
- Arbitrary file read access
- Exposure of sensitive configuration files
- Credential disclosure risks
- Potential privilege escalation paths
- Unauthorized access to server information
📌 Affected Versions
✅ Fully Patched Versions
11.136.1.15 and higher
🛠️ How to Update cPanel
Run the following command as root:
Verify the installed version after updating:
🛡️ Temporary Mitigation
If you are unable to update immediately, block inbound access to the following ports at the firewall:
This mitigation should only be considered temporary until the server is fully updated.
🔒 Additional Security Fixes Included
🔒 Security Recommendation
Update all cPanel servers immediately and verify that older, partially patched builds are no longer in use.
Servers running outdated cPanel versions remain vulnerable to arbitrary file read attacks through cpdavd endpoints.