Critical Linux Hosting Security Advisory
WebCare360 is issuing this security advisory for VPS, dedicated server, and hosting customers regarding multiple high-severity vulnerabilities affecting cPanel/WHM, Apache HTTP Server, OpenSSH, Linux kernel, and CloudLinux-based hosting environments.
WebCare360 is advising VPS, dedicated server, managed hosting, and self-managed server customers to review several important Linux hosting security vulnerabilities disclosed between late April and early May 2026. These issues affect commonly used hosting components including cPanel/WHM, Apache HTTP Server, OpenSSH, Linux kernel packages, and CloudLinux environments.
These vulnerabilities may impact hosting servers running cPanel, AlmaLinux, CloudLinux, Rocky Linux, RHEL-compatible systems, Ubuntu, Debian, Apache HTTP/2, OpenSSH certificate authentication, or KernelCare-based live patching. Customers and server administrators should verify installed package versions, apply vendor-supported patches, and reboot where required.
Important: These vulnerabilities do not necessarily affect every WebCare360 server or customer environment. Applicability depends on operating system, installed packages, enabled services, control panel usage, HTTP/2 configuration, SSH authentication design, kernel version, and live patching status.
Summary of Vulnerabilities
| Component | CVE | Severity | Primary Action |
|---|---|---|---|
| cPanel / WHM / WP Squared | CVE-2026-41940 | Critical · CVSS 9.8 | Update cPanel/WHM immediately |
| Linux Kernel | CVE-2026-31431 | High · CVSS 7.8 | Update kernel and reboot, or verify live patch |
| Apache HTTP Server | CVE-2026-23918 | High / Important | Upgrade Apache 2.4.66 to 2.4.67 or vendor-fixed package |
| OpenSSH | CVE-2026-35414 | Vendor severity varies | Update OpenSSH, especially if using SSH certificate authentication |
Vulnerability Details and Patch Guidance
A critical authentication-bypass vulnerability affects exposed cPanel & WHM / WP Squared services. Successful exploitation may allow unauthorized access to administrative functionality without valid credentials. Any server running cPanel/WHM or WP Squared should be reviewed and patched immediately.
References:
A Linux kernel local privilege-escalation vulnerability may allow an unprivileged local user to gain root privileges on affected systems. This is especially important for shared hosting, VPS nodes, container hosts, servers with jailed shell access, reseller environments, and systems where untrusted local code may execute.
RHEL / AlmaLinux / Rocky Linux / CloudLinux:
Older yum-based systems:
Ubuntu / Debian:
KernelCare-enabled systems:
References:
Apache HTTP Server 2.4.66 is affected by a double-free vulnerability in HTTP/2 handling that may result in denial of service or possible remote code execution. Systems running Apache 2.4.66 with HTTP/2 enabled should be upgraded to Apache 2.4.67 or the fixed package provided by the operating system or control-panel vendor.
cPanel / EasyApache 4 systems:
Older yum-based systems:
CloudLinux repository note:
Check Apache and HTTP/2 status:
References:
OpenSSH before 10.3 contains an issue involving the authorized_keys principals option in uncommon SSH certificate-authority configurations. Risk is highest for environments using SSH certificate-based authentication with cert-authority et principals= restrictions.
Systems not using SSH certificate authentication have significantly lower exposure, but WebCare360 still recommends installing the vendor-provided OpenSSH update.
RHEL / AlmaLinux / Rocky Linux / CloudLinux:
Ubuntu / Debian:
Check for higher-risk SSH certificate-principal configuration:
References:
Recommended Actions for VPS and Dedicated Server Customers
- Update cPanel/WHM immediately if installed and confirm the installed cPanel version after running the update.
- Verify Apache is not running vulnerable version 2.4.66, especially where HTTP/2 is enabled.
- Install the latest operating system kernel updates and reboot unless live patching is confirmed.
- Update OpenSSH using vendor packages, especially if SSH certificate authentication is used.
- Review administrative access, including SSH keys, WHM users, API tokens, cron jobs, sudoers rules, and unexpected privileged accounts.
- Confirm backups are current and stored outside the affected server.
Quick Verification Commands
For cPanel / RHEL-family systems:
For Ubuntu / Debian systems:
Questions fréquemment posées
Does this advisory affect every WebCare360 customer?
No. Applicability depends on the operating system, installed software, control panel, Apache version, SSH configuration, kernel version, and whether the server is managed or self-managed.
Do unmanaged VPS and dedicated server customers need to patch manually?
Yes. Customers with unmanaged VPS or dedicated servers are responsible for applying updates, rebooting where required, and verifying that vulnerable software versions are no longer installed.
Should cPanel/WHM servers be treated as urgent?
Yes. Servers running vulnerable cPanel/WHM versions should be updated immediately because the cPanel issue is critical and confirmed as actively exploited.
Is a reboot required after kernel updates?
In most cases, yes. A reboot is required after installing a new kernel unless KernelCare or another live patching solution confirms that the relevant CVE has already been patched in memory.
Need Help Securing Your Server?
WebCare360 customers with managed VPS or dedicated server services may contact our support team to confirm patch status, review affected services, or request assistance with security updates. Self-managed server customers should review the advisory above and apply the applicable patches as soon as possible.
Open a Support Ticket
