A cPanel down wave hit some hosting customers on April 28, 2026 after cPanel published an emergency cPanel & WHM security update for an issue affecting supported versions of the control panel. The company said the problem relates to “various authentication paths,” and pushed patched versions for currently supported releases.
The public advisory is short, which is usually how these emergency hosting security notes look before people have enough detail to be comfortable. cPanel did not list a CVE in the post, and it did not describe the full technical path. It only said a security issue had been identified, listed the fixed versions, and told server administrators to force an update.
The patched versions listed by cPanel are:
| cPanel & WHM branch | Patched version |
|---|---|
| 11.110 | 11.110.0.97 |
| 11.118 | 11.118.0.63 |
| 11.126 | 11.126.0.54 |
| 11.132 | 11.132.0.29 |
| 11.134 | 11.134.0.20 |
| 11.136 | 11.136.0.5 |
For server owners with root access, cPanel said to run:
/scripts/upcp --forceFor shared hosting customers, that command is not something you can usually run yourself. Your hosting provider has to patch the server, and that is why the cPanel outage may look different depending on where your site is hosted. Some users may see cPanel fail to load. Others may lose access to WHM, Webmail, Webdisk, SSL control panel routes, or email-management tools while their host applies the fix or blocks access as a precaution.
Namecheap described the issue as a critical cPanel/WHM vulnerability involving an authentication login exploit that could allow unauthorized access to the control panel. As a precaution, Namecheap said it blocked TCP ports 2083 and 2087, which are commonly used for cPanel and WHM access, while patches were being applied. The company also warned that cPanel, WHM, Webmail, Webdisk, SSL and non-SSL control-panel access could be affected during the maintenance window.
That explains why people may be searching for cPanel down or cPanel outage at the same time. The control panel may not be “down” in the normal outage sense. In many cases, access may be intentionally restricted while hosts patch servers or block login paths tied to the authentication issue.
If your websites are still loading but cPanel, WHM, or Webmail are not, that lines up with the ports and services hosts are trying to protect. If your email client still sends and receives mail, the mail server itself may still be working even if Webmail is unavailable. If your email client also fails, the issue may be broader on your host’s side, or the host may have temporarily restricted more services during the patch window.
There is no public confirmation from cPanel that customer data was accessed, that hosting accounts were breached, or that the issue was actively exploited at scale. The public facts are limited to a security update affecting authentication paths, patched versions, and hosts taking defensive action. Some security accounts are already describing it as an authentication bypass, but cPanel’s own post is more careful and does not publish the full details.
That does not make it minor. Authentication issues in a product like cPanel are serious because cPanel and WHM sit in front of website files, email accounts, databases, DNS tools, domains, backups, cron jobs, FTP accounts, and server administration features. A control-panel login problem can be much more sensitive than a normal website bug because the panel is where users manage the hosting environment itself.
For website owners, the practical advice is simple. Do not keep trying random password resets if the panel is not loading. Do not assume your account was hacked just because Webmail or cPanel is temporarily unreachable. Check your host’s status page, ask whether your server has been patched to one of the fixed cPanel versions, and confirm whether cPanel/WHM ports were temporarily blocked because of the April 28 security update.
Server administrators should update immediately, confirm the installed cPanel & WHM version, review recent login activity, and make sure unsupported cPanel versions are not being left exposed. cPanel’s warning also says unsupported versions that are not eligible for the update should be upgraded as soon as possible because they may also be affected.
The cPanel outage is frustrating, especially for people trying to manage email accounts, access Webmail, or update hosting settings, but temporary lockouts make sense if providers are trying to stop a control-panel authentication issue from becoming something worse. The safer reading right now is that cPanel and hosting providers are responding to a serious authentication security issue, not that every affected site or email account has been compromised.
Until cPanel publishes more detail, the cleanest wording is this: cPanel pushed an emergency security update on April 28, 2026 for an authentication-related issue affecting supported cPanel & WHM versions, and some hosting providers temporarily restricted cPanel, WHM, Webmail, and related access while applying the fix.
Related Posts
