Securing Your cPanel & WHM: A Step-by-Step Guide to Patching Critical Vulnerabilities

Overview

cPanel and Web Host Manager (WHM) are essential tools for managing web hosting environments. Recently, security updates were released to address three vulnerabilities that could allow attackers to escalate privileges, execute arbitrary code, or cause a denial-of-service condition. One of the disclosed flaws (tracked as CVE-2026-29201, CVSS 4.3) stems from insufficient input validation in the feature::LOADFEATUREFILE adminbin call. This guide walks you through the patch process to safeguard your servers.

Prerequisites

• Root or sudo access to the server running cPanel & WHM.
• SSH client (e.g., PuTTY, Terminal) for command-line execution.
• A current cPanel license to receive updates.
• Basic familiarity with command-line operations and server management.
• Backup of critical files and databases (recommended before any update).

Step-by-Step Instructions

1. Verify Your Current Version

Before patching, confirm your cPanel & WHM version to ensure the update is needed.

1. Log into WHM as root.
2. Navigate to Home > Server Information > cPanel Version.
3. Alternatively, run this SSH command: /usr/local/cpanel/cpanel -V.
4. Check the version against the patched release (e.g., build 120 or later as per official changelog).

2. Perform a Full System Backup (Optional but Highly Recommended)

Create a backup of your server configuration and user data:

# Backup all cPanel accounts using the built-in script
/scripts/pkgacct --skiphomedir --skipftp --skiplogs --skipmail --skipdns --skipmysql --skippgsql --skipssl --skipdatabases --skippasswd --skipquota --skipresellerconfig --skipmailconfig --skipcpanelconfig --skipcpr --skipshell --skipwebprotect --skipbandwidth --skipstats --skipcpanel --skipwhm --skipextra [username]

Note: For a complete backup, consider using WHM’s Backup Configuration feature under Home > Backup > Backup Configuration.

3. Update cPanel & WHM

cPanel updates automatically via the update system, but you can force the update:

1. SSH into your server as root.
2. Run the update command: /scripts/upcp --force
3. Wait for the process to complete (may take 10–30 minutes).
4. After completion, reboot if prompted: shutdown -r now

4. Verify the Update Installed Correctly

Check the version again to confirm the patch is applied:

/usr/local/cpanel/cpanel -V

You should see a build number higher than the vulnerable version (e.g., 120 or above). Also review the /var/cpanel/updatelog for any errors.

5. Confirm Vulnerability Remediation

While no specific test script is provided, you can verify mitigation by checking that the feature::LOADFEATUREFILE adminbin call now enforces input validation. Review the changelog at /usr/local/cpanel/CHANGELOG for references to CVE-2026-29201.

Common Mistakes

• Skipping backups: Even though updates are generally safe, a corrupted update can cause downtime. Always backup before patching.
• Ignoring the WHM update notification: WHM often displays update banners—do not dismiss them without acting.
• Running updates during peak traffic: The update process may restart services (Apache, MySQL, etc.). Schedule maintenance windows.
• Assuming automatic updates are sufficient: Disabled or misconfigured automatic updates can leave your server exposed. Verify using the version check.
• Overlooking third-party plugins: Some plugins may conflict with the new cPanel version. Test on a staging server if possible.

Summary

Updating cPanel & WHM to the latest release patched three vulnerabilities, including CVE-2026-29201 (input validation flaw that could lead to code execution). By following the steps above—backing up, forcing the update, and verifying—you protect your hosting environment from privilege escalation, arbitrary code execution, and denial-of-service attacks. Always prioritize timely patching and maintain regular backups.