PatchSiren cyber security CVE debrief
CVE-2026-32991 cPanel CVE debrief
cPanel disclosed CVE-2026-32991 on 2026-05-13. According to the vendor advisory, a low-privilege team user with the default role could escalate to the owner account’s full capabilities through certain UAPI modules. The issue affects cPanel & WHM versions 110 and higher, and cPanel has released fixed builds across supported branches, plus a WP Squared fix. Because this is an authenticated privilege-escalation issue in a hosting control panel, administrators should treat it as high priority and verify they are on a patched build.
- Vendor
- cPanel
- Product
- cPanel/WHM
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-13
Who should care
cPanel & WHM administrators, managed hosting providers, and any organization using team-user workflows in cPanel environments should review this immediately. WP Squared operators should also confirm they are on the fixed release. Extra attention is warranted for legacy systems on CentOS 6 or CloudLinux 6, since the vendor included additional upgrade-tier guidance for those hosts.
Technical summary
The vendor reports that a low-privilege team user (role=default) can reach owner-level capabilities by using certain UAPI modules. The advisory states that cPanel & WHM versions 110 and higher are affected, with fixes released in 11.110.0.118 (cl6110), 11.110.0.119 and higher, 11.118.0.67 and higher, 11.124.0.38 and higher, 11.126.0.59 and higher, 11.130.0.23 and higher, 11.132.0.32 and higher, 11.134.0.26 and higher, and 11.136.0.10 and higher. WP Squared is fixed at 11.136.1.12 and higher.
Defensive priority
High. This is an authenticated privilege-escalation vulnerability that can convert a low-privilege team account into owner-level control within the product. For a hosting control panel, that can materially affect tenant isolation and administrative integrity.
Recommended defensive actions
- Upgrade cPanel & WHM to a fixed release at or above the vendor-published patched build for your branch, or to a later fully patched version.
- If you run WP Squared, verify you are on 11.136.1.12 or higher.
- For CentOS 6 or CloudLinux 6 systems, follow the vendor’s upgrade-tier guidance: set CPANEL=cl6110 in /etc/cpupdate.conf, then complete the vendor’s required actions.
- Review team-user and default-role accounts for unnecessary access and remove or restrict accounts that do not need delegated capabilities.
- Validate that your deployed version matches the vendor advisory’s fixed-build thresholds before considering the system remediated.
- Check the same vendor advisory for the accompanying CVE entries referenced in the update bundle and apply any related fixes that are relevant to your environment.
Evidence notes
All substantive claims come from the vendor’s official advisory published 2026-05-13 and updated the same day, plus the supplied CVE metadata. The advisory states the issue involves a low-privilege team user (role=default), certain UAPI modules, affected cPanel & WHM branches starting at version 110, and the fixed versions listed above. The source also provides the WP Squared fixed version and legacy CentOS 6 / CloudLinux 6 upgrade-tier guidance. No CVSS score was provided in the supplied source.
Official resources
-
CVE-2026-32991 CVE record
CVE.org
-
CVE-2026-32991 NVD detail
NVD
-
Vendor advisory source
cpanel_changelog_rss
Vendor advisory published 2026-05-13T12:42:58Z and modified 2026-05-13T20:17:31Z. The supplied record should be treated as the disclosure source for this CVE.