Scan free
HIGHCVE-2026-32991CVSS 7.1

CVE-2026-32991: Privilege Escalation in cPanel

Platform

cpanel

Component

cpanel

Fixed in

11.136.1.12

View on NVD
Save

CVE-2026-32991 describes a privilege escalation vulnerability within cPanel. An attacker, posing as a team member, can exploit this flaw to gain elevated privileges, effectively becoming the team owner. This impacts cPanel installations running versions from 11.110.0.0 to 11.136.1.12. A patch is available in version 11.136.1.12.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-32991 allows an attacker to assume the role of the team owner within cPanel. This grants them complete control over the team's resources and settings, including access to sensitive data and configuration options. An attacker could potentially modify website files, databases, and other critical components. The blast radius extends to all resources managed by the compromised team, potentially impacting multiple websites and users hosted on the cPanel server. This vulnerability is particularly concerning as it bypasses standard authentication mechanisms, allowing unauthorized access with relative ease.

Exploitation Context

CVE-2026-32991 was published on May 13, 2026. Its CVSS score of 7.1 (HIGH) indicates a significant risk. There are currently no publicly available exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. Monitor security advisories and threat intelligence feeds for any updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcpanel
VendorWebPros
Minimum version11.110.0.0
Maximum version11.136.1.12
Fixed in11.136.1.12

Weakness Classification (CWE)

CWE-863

Timeline

  1. Reserved
  2. Published
  3. Modified

Mitigation and Workarounds

The primary mitigation for CVE-2026-32991 is to upgrade cPanel to version 11.136.1.12 or later. Before upgrading, it's crucial to back up your cPanel installation, including all website files, databases, and configurations. If an upgrade is disruptive, consider implementing temporary restrictions on team member privileges to limit the potential impact of the vulnerability. While a direct WAF rule is unlikely, carefully review and restrict team member access permissions to minimize the attack surface. After upgrading, verify the fix by attempting to escalate privileges as a team member – the action should be denied.

How to fix

Actualice cPanel a la versión 11.136.0.10 o posterior para corregir la vulnerabilidad. Esta actualización aborda las fallas de autorización que permiten a los miembros del equipo escalar privilegios a la cuenta del propietario del equipo. Consulte la nota de seguridad proporcionada por cPanel para obtener más detalles e instrucciones de actualización.

Frequently asked questions

What is CVE-2026-32991 — Privilege Escalation in cPanel?

CVE-2026-32991 is a HIGH severity vulnerability in cPanel allowing team members to escalate privileges to the team owner account, potentially granting unauthorized access and control over the team's resources.

Am I affected by CVE-2026-32991 in cPanel?

You are affected if you are running cPanel versions 11.110.0.0 through 11.136.1.12. Verify your cPanel version using the 'cpversion' command.

How do I fix CVE-2026-32991 in cPanel?

Upgrade cPanel to version 11.136.1.12 or later. Back up your cPanel installation before upgrading to ensure data recovery in case of issues.

Is CVE-2026-32991 being actively exploited?

As of the current assessment, CVE-2026-32991 is not known to be actively exploited, but it remains a significant risk due to its potential impact.

Where can I find the official cPanel advisory for CVE-2026-32991?

Refer to the official cPanel security advisory for CVE-2026-32991 on the cPanel website: [https://security.cpanel.net/ (replace with actual advisory link when available)].

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...