High

Arbitrary File Read in cPanel cpdavd Attachment Download Endpoints

CVE-2026-29205 CWE-250· Execution with Unnecessary…

CVE-2026-29205 is an arbitrary file read vulnerability in cPanel & WHM affecting the cpdavd attachment download endpoints. According to the provided content, the issue results from a combination of incorrect privileges management and insufficient path filtering. Because privileges are not correctly dropped and path validation is inadequate, a remote attacker can cause the affected endpoint to read arbitrary files from the server filesystem. The available context further indicates this can be exploited pre-authentication and that file access may occur with root-level privileges or impact.

Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation allows unauthorized reading of arbitrary files on the server, resulting in high confidentiality impact. Based on the provided context, exploitation is possible remotely over the network without authentication or user interaction. Because the flaw involves incorrect privilege handling in cpdavd, the attacker may obtain access to files readable with elevated privileges, including potentially sensitive system or application data. The supplied CVSS vector also indicates low integrity and availability impact, though the primary consequence described is unauthorized disclosure of server-side files.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to the vulnerable cpdavd attachment download endpoints by restricting network access to trusted administrative sources, placing the service behind access controls or filtering, and monitoring for suspicious requests targeting attachment download functionality. Because the provided content does not include vendor-specific temporary workarounds, definitive mitigation guidance beyond limiting exposure and accelerating patch deployment is currently not available.

Remediation

Patch, then assume compromise.

Apply the cPanel & WHM security update referenced in the vendor advisory for CVE-2026-29205, identified in the provided content as the WP2 Security Update dated May 13, 2026. Upgrade affected cPanel & WHM installations to a vendor-fixed release that corrects the privilege management and path filtering flaws in the cpdavd attachment download endpoints.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView all

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CpanelCpanel Whmapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

22 SOURCESView all

reddit netsecNews

May 19, 2026

New Age of Collisions: Reading Arbitrary Files Pre-Auth as root in cPanel (CVE-2026-29205) : r/netsec

A pre-auth arbitrary file read vulnerability in cPanel that allows reading arbitrary files as root.

cvefeed high severityNews

May 13, 2026

CVE-2026-29205 - Apache Cassandra Path Traversal Vulnerability

An arbitrary file read vulnerability in cPanel & WHM's cpdavd attachment download endpoints caused by incorrect privileges management and insufficient path filtering.

The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

NVD

nvd.nist.gov/vuln/detail/CVE-2026-29205

support.cpanel.net

support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026