CVE-2026-32992 cPanel CVE debrief

Who should care

cPanel & WHM and WP Squared administrators, especially teams using DNS Cluster functionality or managing multi-server cPanel environments where cluster traffic could expose credentials if intercepted.

Technical summary

According to the vendor advisory, the flaw is an SSL verification enforcement issue in the DNS Cluster system. If an attacker can position a malicious server in the request path or otherwise impersonate a cluster endpoint, the weak verification could allow interception of cluster communications and credential capture. cPanel lists fixed releases for cPanel & WHM 11.126.0.59+, 11.130.0.23+, 11.132.0.32+, 11.134.0.26+, 11.136.0.10+, and WP Squared 11.136.1.12+.

Defensive priority

High

Recommended defensive actions

• Update cPanel & WHM or WP Squared to a fixed release listed by the vendor as soon as possible.
• Verify the installed version after updating to confirm the patch was applied successfully.
• If you operate DNS Cluster functionality, review the trust and endpoint configuration for unexpected changes or unrecognized servers.
• If you have reason to suspect cluster traffic may have been intercepted, review related credentials and consider rotating them following your incident-response procedures.

Evidence notes

Vendor advisory published 2026-05-13 12:44:00Z and modified 2026-05-13 20:16:48Z. cPanel states that SSL verification was not fully enforced in the DNS Cluster system and that a malicious server could man-in-the-middle requests and capture credentials. The advisory names fixed versions: cPanel & WHM 11.126.0.59+, 11.130.0.23+, 11.132.0.32+, 11.134.0.26+, 11.136.0.10+, and WP Squared 11.136.1.12+. No CVSS score was supplied in the source corpus.

Official resources