What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

CVE-2026-41940: cPanel Auth Bypass Exploited 65 Days as 0-Day, 1.5M Servers Exposed

TL;DR

CVE-2026-41940 is a CVSS 9.8 authentication bypass in cPanel & WHM caused by CRLF injection into the session file that cpsrvd writes before authentication completes. An unauthenticated attacker manipulates the whostmgrsession cookie to skip the encryption path, then injects \r\n through the HTTP Authorization header. The unsanitized newlines append user=root to the on-disk session, and the next request authenticates as root. The bug was exploited in the wild since at least February 23, 2026 — roughly 65 days as a 0-day — and patched April 28, 2026 after hosting providers escalated. Roughly 1.5 million cPanel instances are exposed on the public internet; assume any unpatched server has been compromised.

What Happened

watchTowr Labs published a technical analysis of CVE-2026-41940 on April 29, 2026, one day after cPanel shipped patched builds. The flaw lives in the cPanel service daemon cpsrvd, which mishandles two stages of session lifecycle:

Pre-auth session creation. cpsrvd writes a new session file to disk before the authentication state is decided. Any subsequent failure rolls back the session, but the file write is the vulnerable instruction.
Cookie segment skip. The whostmgrsession cookie is normally encrypted via an internal segment. By omitting the expected segment, an attacker triggers the legacy code path that doesn't apply the encryption sanitizer.

With those two preconditions, the attacker sends an HTTP request whose Authorization: Basic header contains raw \r\n characters. The unsanitized header bytes flow into the session-file writer as if they were legitimate session properties. The injected newlines split the file's structured key=value content, and the attacker appends user=root. The next request — using the same session — is treated as fully authenticated as root.

Why This Specific Bug Class Matters

CRLF injection is one of the oldest web vulnerability classes — described in OWASP guidance for over a decade. What's striking about CVE-2026-41940 is the combination:

The sink is a privileged file write. Most CRLF bugs land in HTTP response headers (response splitting, log forging). This one lands in a session-state file that grants root.
The trigger is pre-authentication. No credentials needed. No prior account.
The escape gadget is a documented cookie format quirk. The legacy non-encrypted code path was kept alive for backwards compatibility — a design choice that hardens almost no system but defeats the encryption sanitizer for this one class.
The blast radius is shared hosting. A single compromised cPanel server typically manages dozens to hundreds of customer websites, mailboxes, databases, and cron jobs.

This is a textbook case of how a familiar bug class becomes catastrophic when it lands at the wrong sink. The interesting work isn't the CRLF — it's that nobody checked whether cpsrvd wrote sensitive state before the auth boundary.

Affected Versions

Per cPanel's advisory, every version after v11.40 is affected. That's effectively every production cPanel release of the past decade. Patched releases:

cPanel 11.86.0.41 (LTS branch, oldest still-supported)
cPanel 11.110.x, 11.118.x, 11.126.x, 11.134.x stable channels — apply the latest tier release
cPanel 11.136.0.5 (current stable)
WP Squared 136.1.7 (managed WordPress on cPanel)

If your build string is below the floor for your tier, you are vulnerable.

Exploitation Timeline (Verified)

Date	Event	Source
~Feb 23, 2026	Earliest in-the-wild exploitation observed by KnownHost	KnownHost CEO Daniel Pearson
Mar–Apr 2026	Hosting providers (Namecheap and others) flag anomalies; some block inbound 2083/2087 preemptively	BleepingComputer reporting
Apr 28, 2026	cPanel ships patched builds across all supported tiers	cPanel security advisory
Apr 29, 2026	watchTowr publishes technical analysis + Detection Artifact Generator on GitHub	watchTowr Labs
Apr 29, 2026	Rapid7 ETR (Emerging Threat Response) advisory; Hacker News, Help Net Security pickups	Rapid7, public reporting
Apr 30, 2026	Public exploitation acceleration begins as PoC propagates	Telemetry from multiple hosting providers

Net 0-day window: ~65 days. If your server has been internet-exposed and unpatched at any point in March or April, treat it as compromised until proven otherwise.

Detection

Three detection layers are useful, in order of confidence:

1. cPanel's official detection script

cPanel published a script that scans for compromise indicators specific to this exploit. Run it on every host before you trust the patch alone. The script checks for malformed session files, unexpected user=root entries in non-root sessions, and recent session files whose creation timestamps don't align with valid login events.

2. watchTowr Detection Artifact Generator

watchTowr's GitHub repository includes a generator that produces a benign artifact request to verify whether your server's cpsrvd exhibits the vulnerable pre-auth file-write behavior. The artifact is safe to run against your own host; it doesn't establish a privileged session, only confirms the bug class is reachable.

3. Log-based detection (high-fidelity SIEM rule)

If you're running cPanel access logs through a SIEM, a single regex over the Authorization header captures most exploitation attempts:

# Splunk-style query against access_log:
index=cpanel sourcetype=access_log 
  | rex field=_raw "Authorization:\s+Basic\s+(?<authval>\S+)"
  | where match(authval, "%0D|%0A|%0d|%0a|\\r|\\n")
  | stats count by src_ip, host
  | where count > 0

The pattern looks for URL-encoded \r/\n (which is how the CRLF often arrives over HTTP) inside basic-auth headers. Legitimate basic-auth payloads never contain these bytes; any hit is a high-confidence exploitation attempt.

For Falco or eBPF-based runtime detection, watch for cpsrvd writing a session file that is opened, modified, and immediately read during the same TCP connection — that's the pre-auth race that the exploit rides:

- rule: cPanel pre-auth session write
  desc: cpsrvd writes a session file with CRLF byte sequences in the path or content
  condition: >
    spawned_process and proc.name = "cpsrvd" and
    fd.name contains "/var/cpanel/sessions/" and
    (evt.arg.data icontains "%0d%0a" or evt.arg.data contains "\r\n")
  output: "cPanel pre-auth session write with CRLF bytes (proc=%proc.cmdline path=%fd.name)"
  priority: CRITICAL

Mitigation

Apply in this order:

Patch. Run cPanel's update script (/scripts/upcp --force) on every host. Confirm the build string is at or above the floor for your tier (above). Restart cpsrvd after the upgrade — the patch's session-file logic only takes effect on a fresh process.
If you cannot patch immediately, block inbound traffic on the cPanel service ports at the edge: 2083, 2087, 2095, 2096. This eliminates the public attack surface but disables remote management. For a few hours of downtime this is preferable to ongoing exposure.
If you suspect compromise (any unpatched exposure since Feb 23), execute the post-compromise checklist below — a patch alone does not evict an attacker who already has root.

Post-Compromise Checklist

If your host was internet-exposed and unpatched at any point in the 65-day 0-day window, assume compromise and proceed:

Purge all sessions in /var/cpanel/sessions/. Delete the directory contents and restart cpsrvd.
Force-rotate all credentials: cPanel root, all hosted account passwords, all SSH keys, all API tokens, all WHM API keys. Treat any credential issued from this host before patch as burned.
Audit cron jobs across /var/spool/cron/, /etc/cron.d/, /etc/cron.hourly/, and per-account crontabs. Attackers commonly install reverse-shell crons that survive the patch.
Audit hosted website code for newly added PHP files, modified .htaccess, or unexpected entries in WordPress wp-content/uploads/ (a common dropper location).
Audit MySQL users for new privileged accounts. Check for added rows in mysql.user with host='%'.
Check for persistent backdoors: /etc/passwd additions, modified /etc/sudoers, modified SSH authorized_keys files for any user, and out-of-policy systemd units.
Review outbound traffic logs for tunneling to attacker C2 — common destinations are residential ASNs and short-lived VPS providers.
Snapshot before remediation. If the host has any forensic value (dispute, breach notification, regulatory filing), image the disk before purging.

Frequently Asked Questions

Does CVE-2026-41940 require any prior access?

No. The vulnerability is reachable pre-authentication. Any attacker who can connect to a cPanel/WHM port (2083, 2087, 2095, 2096) can exploit it.

Is exploitation logged?

Yes — the exploit traverses standard cPanel access logs. The Authorization header containing %0D%0A or raw \r\n is recorded. SIEM detection is straightforward if logs are centralized. The challenge is that many shared hosts don't ship cPanel logs to a SIEM — onboarding the access log is the highest-leverage detection improvement most operators can make today.

How do I know if my hosting provider has patched?

If you don't run the cPanel host yourself, ask your provider to confirm: (a) the cPanel build string after their April 28+ update, (b) whether cpsrvd was restarted after the patch, and (c) whether session files were purged. Reputable providers should be able to answer all three within minutes.

Are WordPress sites hosted on cPanel impacted?

Indirectly, yes. The vulnerability is in the cPanel control plane, not WordPress itself. But once an attacker has root on the cPanel host, every WordPress site it manages is fully compromised — file system access, database access, and the ability to inject persistence into themes, plugins, or wp-config.php. WP Squared 136.1.7 specifically patches the same flaw for the managed-WordPress variant.

Why was this a 0-day for 65 days before the patch?

Public reporting suggests the bug was discovered by attackers first and used for targeted compromises that produced quiet, hard-to-attribute artifacts (modified session files only). Hosting providers like Namecheap detected anomalies in March and April and applied port-block mitigations before cPanel's coordinated patch was ready. The pressure from those providers reportedly accelerated cPanel's patch timeline.

Key Takeaways

Patch immediately to a build above the floor for your tier; restart cpsrvd.
Treat any pre-April-28 exposure as potential compromise. Sixty-five days is a long 0-day window.
The detection regex against basic-auth headers is high-confidence and easy to deploy in any SIEM.
Shared hosting blast radius is real — one compromised cPanel host is dozens of compromised customer sites.
The bug class (CRLF injection landing in a privileged file write) generalizes. Audit any service that writes user-controlled bytes to a state file before authentication completes.

Sable Offensive Research conducts authorized security assessments against control-plane services like cPanel, Plesk, and bespoke hosting management stacks. Contact us if you operate at hosting-provider scale and want a focused review of pre-auth attack surface.

References

watchTowr Labs technical analysis and Detection Artifact Generator (April 29, 2026)
Rapid7 Emerging Threat Response advisory (April 29, 2026)
cPanel official advisory and patch announcement (April 28, 2026)
BleepingComputer, Help Net Security, The Hacker News reporting (April 29-30, 2026)