cPanel has disclosed three new security vulnerabilities (CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203) with a patch scheduled for release today, May 8, 2026, at 12:00pm EST. This is a heads-up advisory: most InMotion Hosting customers will receive the cPanel security update automatically through InMotion’s standard patching process. Your websites, email, and databases are not affected by this advisory.
What We Know About the cPanel Security Update
cPanel’s pre-disclosure notification identifies three vulnerabilities under the following identifiers:
Technical details for all three CVEs are under embargo until the patch goes live at 12:00pm EST today. cPanel will publish its official advisory alongside the patch release. The patch will distribute through the standard cPanel automatic update process. Customers and administrators who prefer to update manually can run /scripts/upcp after 12:00pm EST today.
Note: Patched version numbers will be listed in cPanel’s official advisory once it publishes at 12:00pm EST. This article will be updated with that information and a link to the advisory after the embargo lifts.
How InMotion Hosting is Responding to the Disclosure
InMotion Hosting is monitoring this disclosure closely and will push the patch through the standard automatic update process across the entire server fleet, covering Shared, Reseller, VPS, and Dedicated hosting environments. No special action is required from most customers.
Because technical details are not yet public, the full scope of these vulnerabilities is still unknown. InMotion’s team is prepared to take additional precautions if the patch release reveals circumstances that warrant them. The same playbook used during CVE-2026-41940 is available if needed. InMotion will not take preemptive action before technical details are published, but the team is ready to act quickly if the situation calls for it.
During the CVE-2026-41940 incident, InMotion temporarily restricted access to cPanel and WHM ports as a protective measure while patches were applied. For context on how InMotion handled that incident, see the original April 2026 advisory.
Your active services are not expected to be affected. Websites, email accounts, and databases will continue to run normally regardless of any patching or protective measures applied to the control panel layer.
What You Should Do Before and After the Patch
The right action depends on your hosting plan:
- Shared, WordPress, Managed VPS, and Managed Dedicated Server customers: Nothing. The patch will apply automatically to your server. You do not need to run any commands or make any changes.
- Self-managed VPS and Dedicated Server customers: Confirm that automatic updates are enabled in
/etc/cpupdate.confby checking that the file containsUPDATES=daily. Alternatively, after 12:00pm EST today, run/scripts/upcpto apply the patch manually. - CloudLinux 6 servers on the cPanel 110 branch: Before running a manual update, run the following sed command to set the correct update tier, then run
/scripts/upcp.
sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.confImportant: If InMotion determines that port restrictions are necessary (as described earlier), you may experience a brief interruption in cPanel and WHM access during the patching window. This is a protective measure, not a service outage. Your hosted sites and applications will remain online.
Why Does Managed Hosting Matter During cPanel Disclosures?
Disclosures like this one are where the difference between managed and unmanaged hosting becomes operational, not theoretical. Three factors decide how quickly a fleet gets patched and how cleanly it gets done.
Owned infrastructure means direct control. InMotion Hosting designs, owns, and operates its hardware and network. There is no hyperscale cloud provider in the loop and no third-party vendor sitting between the disclosure and the patch. Decisions about patch timing, port restrictions, and customer notification happen in-house, on equipment InMotion controls. That is how patches ship to thousands of servers within hours of cPanel publishing a fix.
Real operators handle escalations. Support is staffed by trained engineers 24/7. During an active CVE, that experience matters because the questions are answered by technicians with an average support tenure of over five years. Customers reach a person who has worked through previous cPanel incidents and understands the underlying systems.
Managed plans absorb the work. On Shared, WordPress, Managed VPS, and Managed Dedicated Server plans, InMotion handles patching, monitoring, and any protective measures required. Self-managed customers retain full root access and full responsibility for their own update cadence. Both models are valid, but they require different levels of attention from the customer during disclosures like this one.
What Comes Next After the Patch Is Deployed?
Once the patch is deployed and cPanel publishes the full technical advisory, InMotion will publish a follow-up article with the complete details: what the vulnerabilities are, how InMotion responded across the fleet, the patched version numbers, and any additional steps customers should take. That article will follow the same format as the CVE-2026-41940 technical follow-up. Check back at the InMotion Hosting Support Center news section for the update.
If you have questions about your specific environment before the follow-up publishes, InMotion Hosting support is available 24/7.
Leave a Reply