HIGHCVE-2026-32992CVSS 8.2

CVE-2026-32992: MITM in cPanel DNS Cluster

Platform

cpanel

Component

cpanel

Fixed in

11.136.1.12

View on NVD

Save

CVE-2026-32992 affects cPanel DNS Cluster systems, allowing a man-in-the-middle (MITM) attack due to disabled SSL verification. This vulnerability could enable attackers to intercept and potentially steal sensitive credentials. The vulnerability impacts cPanel versions from 11.126.0.0 through 11.136.1.12, and a fix is available in version 11.136.1.12.

Impact and Attack Scenarios

The core of this vulnerability lies in the DNS Cluster's failure to enforce SSL verification. An attacker positioned between the cPanel server and the DNS resolver can intercept DNS queries and responses. This allows them to manipulate DNS records, redirect users to malicious websites, and potentially capture credentials transmitted in the clear. The blast radius extends to any service relying on DNS resolution, including email, web applications, and other critical infrastructure. While direct remote code execution is not possible, the ability to compromise DNS integrity poses a significant risk to overall system security and data confidentiality.

Exploitation Context

CVE-2026-32992 was published on May 13, 2026. Its severity is rated HIGH (CVSS 8.2). There are currently no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentcpanel

VendorWebPros

Minimum version11.126.0.0

Maximum version11.136.1.12

Fixed in11.136.1.12

Weakness Classification (CWE)

CWE-295

Timeline

Reserved2026-03-17
Published2026-05-13
Modified2026-05-14

Mitigation and Workarounds

The primary mitigation for CVE-2026-32992 is upgrading cPanel to version 11.136.1.12 or later, which includes the SSL verification fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Implement strict firewall rules to restrict access to the DNS Cluster to only authorized clients. Monitor DNS logs for suspicious activity, such as unexpected record changes or unusual query patterns. While not a direct fix, utilizing a Web Application Firewall (WAF) can help detect and block malicious traffic attempting to exploit this vulnerability. After upgrading, verify SSL verification is enabled by checking the DNS Cluster configuration and observing DNS resolution behavior.

How to fix

Actualice cPanel a la versión 11.136.0.10 o posterior para deshabilitar la verificación SSL y mitigar el riesgo de ataques de intermediario.  Asegúrese de realizar una copia de seguridad completa antes de aplicar la actualización. Consulte la documentación oficial de cPanel para obtener instrucciones detalladas sobre cómo actualizar.

Frequently asked questions

What is CVE-2026-32992 — MITM in cPanel DNS Cluster?

CVE-2026-32992 is a HIGH severity vulnerability in cPanel DNS Cluster allowing man-in-the-middle attacks due to disabled SSL verification, potentially exposing credentials. It affects versions 11.126.0.0–11.136.1.12.

Am I affected by CVE-2026-32992 in cPanel DNS Cluster?

You are affected if you are running cPanel DNS Cluster in versions 11.126.0.0 through 11.136.1.12. Check your cPanel version immediately to determine your exposure.

How do I fix CVE-2026-32992 in cPanel DNS Cluster?

Upgrade cPanel to version 11.136.1.12 or later to resolve the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like firewall restrictions and log monitoring.

Is CVE-2026-32992 being actively exploited?

Currently, there are no publicly known active exploitation campaigns or Proof-of-Concept exploits for CVE-2026-32992, but continuous monitoring is recommended.

Where can I find the official cPanel advisory for CVE-2026-32992?

Refer to the official cPanel security advisory for CVE-2026-32992 on the cPanel website: [https://security.cpanel.net/ (replace with actual advisory link when available)].

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files