Scan free
HIGHCVE-2026-29205CVSS 8.6

CVE-2026-29205: Arbitrary File Access in cPanel

Platform

cpanel

Component

cpanel

Fixed in

11.136.1.12

View on NVD
Save

CVE-2026-29205 is an Arbitrary File Access vulnerability discovered in cPanel. This flaw allows an attacker to read arbitrary files on the server, potentially exposing sensitive data like configuration files, database credentials, or source code. The vulnerability affects cPanel versions from 11.120.0.0 through 11.136.1.12. A fix is available in cPanel version 11.136.1.12.

Impact and Attack Scenarios

The impact of CVE-2026-29205 is significant due to the potential for complete data compromise. An attacker exploiting this vulnerability could gain access to a wide range of sensitive information stored on the server. This includes configuration files containing database passwords, private keys, and API tokens, which could be used for further attacks. Furthermore, access to source code could reveal other vulnerabilities or proprietary business logic. The ability to read arbitrary files effectively grants an attacker a high degree of control over the affected system, enabling them to steal data, modify configurations, or even execute arbitrary code if combined with other vulnerabilities.

Exploitation Context

CVE-2026-29205 was published on May 13, 2026. As of this writing, there is no indication of active exploitation in the wild. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) or EPSS (Emergency Patch Status System). Public proof-of-concept (POC) code has not been widely disseminated, suggesting a lower probability of immediate exploitation, but diligent monitoring is still recommended.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L8.6HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentcpanel
VendorWebPros
Minimum version11.120.0.0
Maximum version11.136.1.12
Fixed in11.136.1.12

Weakness Classification (CWE)

CWE-250

Timeline

  1. Reserved
  2. Published
  3. Modified

Mitigation and Workarounds

The primary mitigation for CVE-2026-29205 is to upgrade cPanel to version 11.136.1.12 or later. Before upgrading, it's crucial to back up your cPanel installation and any associated data. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable /cpanel/cpdavd/attachment/ endpoint. Additionally, restrict access to the cpdavd process using file system permissions to limit the scope of potential file access. After upgrading, verify the fix by attempting to access a non-existent file through the attachment download endpoint; the request should be denied.

How to fix

Actualice cPanel a la versión 11.136.0.10 o posterior para mitigar la vulnerabilidad. Esta actualización corrige una falla en la gestión de privilegios y el filtrado de rutas que permitía la lectura de archivos arbitrarios a través de los puntos finales de descarga de archivos adjuntos cpdavd.

Frequently asked questions

What is CVE-2026-29205 — Arbitrary File Access in cPanel?

CVE-2026-29205 is a vulnerability in cPanel allowing attackers to read arbitrary files on the server. It's rated HIGH severity (CVSS: 8.6) and affects versions 11.120.0.0 through 11.136.1.12.

Am I affected by CVE-2026-29205 in cPanel?

You are affected if you are running cPanel versions 11.120.0.0 to 11.136.1.12. Check your cPanel version using /usr/local/cpanel/cpversion.

How do I fix CVE-2026-29205 in cPanel?

Upgrade cPanel to version 11.136.1.12 or later. Back up your system before upgrading and consider a WAF rule as a temporary mitigation.

Is CVE-2026-29205 being actively exploited?

As of the current assessment, there is no public evidence of active exploitation in the wild. However, diligent monitoring is still recommended.

Where can I find the official cPanel advisory for CVE-2026-29205?

Refer to the official cPanel security advisory for detailed information and updates: [https://security.cpanel.net/](https://security.cpanel.net/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...