PatchSiren cyber security CVE debrief
CVE-2026-29205 cPanel CVE debrief
cPanel disclosed CVE-2026-29205 on 2026-05-13 and updated the advisory on 2026-05-14 with an additional fix. According to the vendor, incorrect privilege dropping combined with insufficient path filtering in certain cpdavd endpoints made it possible to read arbitrary files on affected cPanel & WHM systems. The issue affects cPanel & WHM version 120 and higher, and the vendor recommends moving to the patched builds listed in its advisory.
- Vendor
- cPanel
- Product
- cPanel/WHM
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-14
Who should care
System administrators and hosting operators running cPanel & WHM or WP Squared, especially environments exposing cpdavd-related functionality and fleets that need to confirm they are on a fixed build.
Technical summary
The vendor states that certain cpdavd endpoints were vulnerable because of a combination of incorrect dropping of privileges and insufficient path filtering. The result was arbitrary file read access on affected systems. The advisory says the problem affects cPanel & WHM versions 120 and higher, and that updated builds were backported across supported release streams. Fixed versions listed by cPanel include 11.124.0.40 and higher, 11.126.0.61 and higher, 11.130.0.25 and higher, 11.132.0.34 and higher, 11.134.0.28 and higher, 11.136.0.12 and higher, plus WP Squared 11.136.1.15 and higher.
Defensive priority
High for cPanel-hosting environments: the flaw is an arbitrary file read issue in a widely used administrative platform, and the vendor issued an additional fix one day after the initial patch.
Recommended defensive actions
- Update cPanel & WHM or WP Squared to a vendor-listed fixed build as soon as possible.
- Verify fleet versions against the patched build thresholds in the advisory, including any backported release stream.
- Review the vendor changelog for the latest maintenance notes before declaring remediation complete.
- Confirm that no systems remain on cPanel & WHM versions 120 or higher without the vendor patch applied.
- Monitor administrative and web server logs for unexpected cpdavd-related file access activity while remediation is underway.
Evidence notes
This debrief is based on the official cPanel security article for CVE-2026-29205, published 2026-05-13 and updated 2026-05-14 with an additional fix and backported builds. The supplied source identifies the flaw as improper privilege dropping plus insufficient path filtering leading to arbitrary file reads through certain cpdavd endpoints. The CVE and NVD links are included as official reference records.
Official resources
-
CVE-2026-29205 CVE record
CVE.org
-
CVE-2026-29205 NVD detail
NVD
-
Vendor advisory source
cpanel_changelog_rss
Vendor-disclosed by cPanel on 2026-05-13; advisory updated on 2026-05-14 with an additional fix and backported patched builds.