OVHcloud incident

cPanel - CVE-2026-41940 - Incident Notification

OVHcloud experienced a critical incident on May 1, 2026 affecting Bare Metal Services and Virtual Private Services and 1 more component, lasting 4d 15h. The incident has been resolved; the full update timeline is below.

Started: May 01, 2026, 10:55 PM UTC
Resolved: May 06, 2026, 02:53 PM UTC
Duration: 4d 15h
Detected by Pingoru: May 01, 2026, 10:55 PM UTC

Affected components

Bare Metal ServicesVirtual Private ServicesVirtual Private Services (US-EAST-LZ-ATL)Virtual Private Services (US-EAST-LZ-DAL)Virtual Private Services (US-EAST-LZ-MIA)Virtual Private Services (US-EAST-LZ-NYC)Virtual Private Services (US-WEST-LZ-DEN)Virtual Private Services (US-WEST-LZ-LAX)Virtual Private Services (US-WEST-LZ-PAO)Virtual Private Services (US-WEST-LZ-SEA)

Update timeline

investigating May 01, 2026, 10:55 PM UTC

OVHcloud was recently informed of a security concern from cPanel team that has been identified as CVE-2026-41940. This concern allows for the possibility of exploitation on machines running cPanel & WHM. An overview of the security concern and details of the patch can be found here - https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026 To immediately address and protect from any security concerns, OVHcloud teams highly recommends anyone using a cPanel image to execute the recommended patch, as described by cPanel, on the CVE documentation. If you are using an OVHcloud provided cPanel template, please be advised that our image is not yet patched. If you need to reinstall your template for any reason between now and our patches being applied, you will need to execute the recommended steps to patch again, to ensure you remain secure. We will update here as soon as our cPanel templates are patched. We appreciate your understanding.
monitoring May 05, 2026, 02:06 PM UTC

The patch has been applied to the all OVHcloud provided cPanel template.