cPanel & WHM Security Update CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 Patch Arriving May 08, 12:00pm EST
We have identified a new security vulnerability in cPanel & WHM through a trusted disclosure source. Our engineering team is actively developing patches, and we are reaching out early so you can prepare your servers to update as soon as it is available.
To help protect customers prior to patch availability, technical details about vulnerabilities will be released alongside the patches. Full technical details will be published on our support page at the same time the patch is released. The CVE IDs are CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.
Patch & Affected Versions
The patch will be available on May 08 at 12:00pm EST and will be distributed through the standard cPanel automatic update process and through the manual update process. We strongly recommend performing a manual update with /scripts/upcp once the patch is made available.
Prepare Now
Identify affected servers. Review your servers on the affected version branches above.
Check the update configuration. For servers where automatic updates are disabled or version-pinned, review /etc/cpupdate.conf now, so there are no delays when the patch lands.
Brief your team. If your environment requires a maintenance window, notify the relevant people so they are ready to act.
Manual update. If your team wishes to update impacted servers before an automatic update is triggered, run /scripts/upcp once the patch is made available.
Note for CloudLinux 6 users: Before manually updating, set the update tier to the cl6110 branch by running sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
We will follow up the moment the patch is live with full details and remediation steps.