CVE-2026-29206: SQL Injection in cPanel 11.102.0.0-11.136.1.12
Platform
cpanel
Component
cpanel
Fixed in
11.136.1.12
CVE-2026-29206 describes a SQL Injection vulnerability discovered in cPanel's sqloptimizer utility script. This flaw allows an attacker to inject malicious SQL commands, potentially gaining unauthorized access to sensitive data. The vulnerability impacts cPanel versions ranging from 11.102.0.0 to 11.136.1.12. A patch is available in version 11.136.1.12.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-29206 could grant an attacker complete control over the cPanel server's database. As the vulnerability executes commands with root privileges, the attacker could extract sensitive information such as user credentials, website content, and database configurations. This could lead to data breaches, website defacement, and complete server compromise. The impact is amplified by the fact that Slow Query logging, a feature often enabled for performance optimization, is a prerequisite for exploitation, making many cPanel installations potentially vulnerable. The ability to execute SQL commands as root represents a significant escalation of privileges, allowing for widespread data manipulation and system control.
Exploitation Context
CVE-2026-29206 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature and the root user context suggest a high likelihood of exploitation if a POC is released. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, but its potential impact warrants close monitoring. The EPSS score is pending evaluation.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-29206 is to immediately upgrade cPanel to version 11.136.1.12 or later. If upgrading is not immediately feasible, disable Slow Query logging to remove the prerequisite for exploitation. As a temporary workaround, consider implementing a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attempts targeting the sqloptimizer script. Monitor cPanel logs for suspicious SQL queries, particularly those originating from the sqloptimizer process. After upgrading, confirm the fix by attempting to trigger the SQL Injection vulnerability using the documented exploit steps (if available) and verifying that the attempts are now blocked.
How to fix
Actualice cPanel a la versión 11.94.0.31 o posterior para mitigar la vulnerabilidad de inyección SQL. La actualización corrige la falta de sanitización adecuada en las consultas SQL del script de utilidad `sqloptimizer`, previniendo la ejecución de código malicioso a través del registro de consultas lentas.
Frequently asked questions
What is CVE-2026-29206 — SQL Injection in cPanel?
CVE-2026-29206 is a SQL Injection vulnerability in cPanel's sqloptimizer script affecting versions 11.102.0.0 through 11.136.1.12. It allows attackers to inject SQL commands as the root user if Slow Query logging is enabled, potentially leading to data breaches.
Am I affected by CVE-2026-29206 in cPanel?
You are likely affected if you are running cPanel versions 11.102.0.0 to 11.136.1.12 and have Slow Query logging enabled. Check your cPanel version using /usr/local/cpanel/cpversion and verify Slow Query logging status.
How do I fix CVE-2026-29206 in cPanel?
Upgrade cPanel to version 11.136.1.12 or later. If upgrading is not possible, disable Slow Query logging as a temporary mitigation. Implement WAF rules to block SQL Injection attempts.
Is CVE-2026-29206 being actively exploited?
While no public POC exists yet, the vulnerability's severity and root user context suggest a high likelihood of exploitation if a POC is released. Monitor cPanel logs for suspicious activity.
Where can I find the official cPanel advisory for CVE-2026-29206?
Refer to the official cPanel security advisory for CVE-2026-29206 on the cPanel website: [https://security.cpanel.net/ (replace with actual advisory URL when available)]
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...