24/7 Support
FAQ
 Dashboard
Account Balance:    
cPanel's Weekly Security Sprint: Five CVEs Patched, But One Already Broken

cPanel's Weekly Security Sprint: Five CVEs Patched, But One Already Broken

May 14, 2026 cpanel security cve patches web hosting vulnerability management server security system administration

cPanel's Weekly Security Sprint: Five CVEs Patched, But One Already Broken

If you've been managing a cPanel environment lately, you've probably noticed a pattern: security updates are arriving like clockwork. And not the good kind of clockwork—more like an alarm that keeps going off.

On May 13, cPanel and WHM released patches for five new CVEs spanning multiple vulnerability classes. But here's where it gets interesting (and concerning): within hours, security researcher Shubham Shah publicly disclosed that at least one of these patches doesn't actually fix the problem. Let's dig into what happened and what it means for your hosting infrastructure.

The Five Vulnerabilities: A Tour of Your Worst Nightmares

The May 13 release covers five distinct vulnerability types, all rated High severity with CVSS scores up to 8.6. Let's break them down:

CVE-2026-29205 (The Incomplete Fix)

This is the headline problem. An unauthenticated attacker can read arbitrary files through the cpdavd attachment download endpoints thanks to improper path filtering and privilege management. CVSS: 8.6. The catch? The patch apparently doesn't fully address it, leaving your systems exposed even after you update.

CVE-2026-29206 (SQL Injection in sqloptimizer)

Root-level SQL injection vulnerability lurking in the sqloptimizer utility when slow query logging is active. Requires user interaction, but the damage potential is severe. CVSS: 8.1.

CVE-2026-32991 (Privilege Escalation in Team Manager)

Multi-tenant environments running cPanel's Team Manager feature have a problem: team members can escalate themselves to team owner status. CVSS: 7.1. If you're reselling cPanel accounts, this one hits close to home.

CVE-2026-32992 (Disabled SSL in DNS Cluster)

Someone disabled SSL verification in the DNS Cluster system. Translation: a man-in-the-middle attacker on your internal network can intercept credentials. CVSS: 8.2. This is the kind of vulnerability that keeps security teams up at night.

CVE-2026-32993 (CRLF Injection)

An unauthenticated CRLF injection vulnerability in the /unprotected/nova_error endpoint allows header manipulation. This is the same vulnerability class that powered the .sorry ransomware campaign back in April. CVSS: 8.3.

The Real Problem: Patching at Speed

cPanel staff posted on Reddit that they're now operating on a "weekly security release" cadence while they work through their systems. The timeline backs this up: April 28, May 8, May 13—with another release expected within days.

This rapid-fire release schedule tells you something important: WebPros is in triage mode. They're finding vulnerabilities and pushing patches as fast as they can identify them. That's better than ignoring them, but it also means each patch is being built and tested under intense pressure. And as CVE-2026-29205 demonstrates, speed sometimes comes at the cost of accuracy.

What You Should Do Right Now

  1. Don't assume the patches work. Grab the May 13 updates for your cPanel/WHM version line, but recognize that CVE-2026-29205 requires additional attention and a proper fix.

  2. Prioritize CVE-2026-29205. The unauthenticated arbitrary file read is actively exploitable. Monitor your cPanel instances for suspicious access patterns, particularly to /dav endpoints.

  3. Update across all product lines. If you're running WP Squared (cPanel's WordPress hosting platform), that's covered too. The May 13 patches apply across the entire WebPros ecosystem.

  4. Check your version line. Patched versions span from 11.86 all the way to 11.136. If you're on CloudLinux 6, you'll need to switch to the cl6110 update tier first.

  5. Watch for a follow-up patch. A real fix for CVE-2026-29205 is coming. When it lands, treat it as a critical priority.

The Bigger Picture

This isn't an isolated incident. We're watching a hosting platform under real pressure, discovering problems systematically and trying to fix them under scrutiny. That's actually the responsible way to handle security—but it's also exhausting for administrators who have to keep up with the updates.

The .sorry ransomware campaign in April showed what happens when these vulnerabilities go unpatched for too long. The May vulnerability cascade shows what happens when they're discovered in batches. Neither scenario is ideal, but at least cPanel is being transparent about their patch timeline.

Keep your NameOcean-hosted infrastructure updated, monitor your systems closely, and don't sleep on these CVEs—even the ones with "fixes."

Read in other languages:

RU BG EL CS UZ TR SV FI RO PT PL NB NL HU IT FR ES DE DA ZH-HANS