Security Notice: cPanel & WHM Access Temporarily Blocked Following Critical Vulnerability Disclosure

Security Notice: cPanel & WHM Access Temporarily Blocked Following Critical Vulnerability Disclosure

Share this article

April 28, 2026 8:10PM — Status: Patching in progress, access restoring

We're currently deploying the security patch and updates are being applied across servers under our management.

Access to cPanel, WHM, and Webmail may be intermittently available as updates are being completed.

If you're running a self-managed cPanel server or do not allow WHC direct access, please update your server and apply the patch as soon as possible.

If you experience any issues or need assistance, our support team is available to help. We will continue to share updates as the situation evolves.

April 28, 2026 6:15PM — Status: Patching in progress

We’ve received the patches from cPanel and are starting to patch our web hosting, reseller, Cloud and managed Dedicated servers. 

IMPORTANT: if you run a self-managed cPanel server or don’t allow WHC direct access to your systems, you should update your cPanel yourself, ASAP, or reach out to support. To run the patch, execute the following from the command line:

/scripts/upcp

April 28, 2026 2:23PM — Status: Active, monitoring for patch

Earlier today, cPanel disclosed a critical authentication vulnerability affecting all currently supported versions of cPanel and WHM. The flaw targets the login authentication process and could allow unauthorized access to control panels if left exposed. No official patch is available yet — cPanel is actively developing one.

The moment the advisory was published, our infrastructure team acted. We have proactively blocked access to cPanel and WHM across our entire hosting fleet as a precaution. This is the mitigation cPanel themselves recommend, and it is currently the most effective way to protect every account on every WHC server until a permanent fix ships.

What this means for you

If you've tried to log into cPanel or WHM today and found it unavailable, that's intentional and protective. We made the call to block first and explain second, because an authentication-bypass flaw in a public-facing control panel is the kind of exposure that gets weaponized within hours of disclosure.

In line with cPanel's full guidance, the following may also be temporarily restricted:

  • cPanel and WHM logins (SSL and non-SSL)
  • Webmail (web-based email access via the panel)
  • Webdisk (where enabled)

What is not affected

Your hosted services continue to run normally. Specifically:

  • Your websites are online and serving visitors. Nothing about this measure takes your site offline.
  • Email delivery is operating normally. Mail is still being sent and received. Mail clients connecting via IMAP, POP, and SMTP (Outlook, Apple Mail, Thunderbird, mobile mail apps) continue to work.
  • DNS, databases, and applications running on your hosting are unaffected.
  • Server infrastructure is healthy and operating as expected.

The only thing affected is the ability to log directly into the cPanel or WHM web interface during the mitigation window. Once we fix this security issue across our infrastructure, we’ll restore access to all systems, so hang tight!

What we're doing next

  • We are in direct contact with cPanel and tracking patch development closely.
  • The moment cPanel releases an official fix, we will deploy it across all affected servers as a priority and restore panel access.
  • We will post updates here and on whcstatus.ca as the situation develops, including when we begin patching and when access is fully restored.

Why we acted this way

When a critical vulnerability with no available patch surfaces, there are two options: wait, or act. We chose to act.

Protecting your sites, your data, and your customers is the first responsibility we hold as your Canadian hosting provider. A few hours of inconvenient panel access is a fair trade for keeping your accounts out of an active threat window. This is the same standard of care we apply to every security event — including the ones you never hear about because we caught and contained them before they reached you.

We'll continue updating this post as the situation evolves. If you have any questions in the meantime, our team is ready to help.

— The WHC Team

Back
Share this article Facebook Twitter LinkedIn By Email
About the author: Marine Nolf

Marine is the Marketing Specialist and Affiliate Manager at WHC, where she supports marketing initiatives, manages partnerships, and represents the company at events. In her spare time, you can find her exploring Montreal, baking cookies, or volunteering in animal shelters.

See all articles from this author Interested in writing for Web Hosting Canada?
Web Hosting Canada manages fast and reliable online infrastructure with 24/7 support. Learn more about WHC