cPanel released a coordinated security update today, May 8, 2026, addressing three separate vulnerabilities in cPanel & WHM. We received advance notice of the patch yesterday evening, monitored for its release at noon EDT, and applied it across our fleet as soon as it became available.
This post summarizes what cPanel disclosed, when the patch actually landed, and what we did about it.
What cPanel Disclosed in Advance
On the evening of May 7, cPanel sent affected partners an early-warning email letting us know a security update was coming the following day at 12:00 PM EDT. The advance notice covered three CVEs being patched together: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.
The notice specified the minimum patched build for every supported tier from 11.86 through 11.136, including the WP Squared (11.136 WP2) line. cPanel recommended performing a manual update via /scripts/upcp once the patch was made available, rather than waiting for the standard automatic update window.
Full technical details were embargoed until the patch itself was released.
The Patch Rollout Timeline
Here is what actually happened on our end at noon:
- 12:00 PM EDT: Attempted manual update. No patched build available yet.
- 12:05 PM EDT: Tried again. Still nothing.
- 12:10 PM EDT: Still no patched build available. Opened a ticket with cPanel.
- 12:12 PM EDT: Patches began rolling out network-wide. Updates began applying successfully.
The window between the announced 12:00 PM availability and the actual rollout was small, roughly twelve minutes, but worth noting for anyone else who saw the same behavior. Our standing approach to security advisories is to update immediately rather than wait for the next automatic update cycle, which is why we were watching for it at the announced time.
The Three Vulnerabilities
cPanel published a separate advisory for each CVE. Here is what they disclosed about the cause of each, in their own framing.
CVE-2026-29201 — Arbitrary File Read
An arbitrary file read was found in the feature::LOADFEATUREFILE adminbin call. The call did not adequately validate the feature file name, meaning a relative path could be passed as the argument and an arbitrary file could be made world-readable as a result.
CVE-2026-29202 — Perl Code Injection
A Perl code injection method was found in the create_user API call, relating to the plugin parameter.
CVE-2026-29203 — Unsafe Symlink Handling
An unsafe symlink handling error was found that allows a user to chmod an arbitrary file, allowing for denial of service and possible privilege escalation.
We are intentionally not going beyond what cPanel has published. The advisories above represent the full extent of what has been publicly disclosed about each issue, and reproducing or speculating beyond that does not help anyone.
Affected Versions
The patch applies across every currently supported tier. The minimum patched build per tier, as published by cPanel:
| Tier | Minimum Patched Build |
|---|---|
| 11.136 | 11.136.0.9 and higher |
| 11.136 (WP Squared) | 11.136.1.10 and higher |
| 11.134 | 11.134.0.25 and higher |
| 11.132 | 11.132.0.31 and higher |
| 11.130 | 11.130.0.22 and higher |
| 11.126 | 11.126.0.58 and higher |
| 11.124 | 11.124.0.37 and higher |
| 11.118 | 11.118.0.66 and higher |
| 11.110 | 11.110.0.117 and higher |
| 11.110 (cl6110) | 11.110.0.116 and higher |
| 11.102 | 11.102.0.41 and higher |
| 11.94 | 11.94.0.30 and higher |
| 11.86 | 11.86.0.43 and higher |
If you are running cPanel on a server we do not manage and your version is older than the supported tiers above, cPanel’s guidance is to update to the latest version using /scripts/upcp.
What This Means for MDDHosting Clients
If your hosting is with us, there is nothing you need to do. Our servers are patched. We monitored for the patch at the announced release time and applied it as soon as the build was made available, well within the window cPanel recommended.
For clients running their own cPanel servers (resellers operating on their own infrastructure, or anyone we have advised on independent setups), we recommend running /scripts/upcp as soon as possible if you have not already. Auto-updates will pick this up on their normal schedule, but for a security release of this category, sooner is better.
Why We Write These Posts
We treat security update transparency as part of the service. When cPanel publishes a coordinated patch covering arbitrary file reads, code injection, and privilege escalation, we want our clients to know the status of their servers without having to ask. Posts like this exist so that anyone wondering “did MDDHosting patch this?” gets a direct answer.
If you have questions about your specific server or want confirmation of when your node was patched, our support team is available through the client area.
Sources: cPanel security advisories for CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, published May 8, 2026.
Really appreciate the way you handle both communication with your customers and the urgency with which you treat every security matter. I mean, one would think that’s how all companies should handle things like this, but we know that’s not how it goes. Cheers, and thanks again.
Thank you so much for the kind words, Aaron. We do our best!
This will be my 15th year with MDD and I’m still very pleased with their honesty and speed at which they get things sorted out, they have and still do put the customer first. I can highly recommend them.
Thank you Michael and the rest of the team.