Security Advisory: CVE-2026-29204 – Critical WHMCS Authorization Bypass Vulnerability
Severity: Critical
CVSS Score: 9.1–10.0 (Critical)
Affected Software: WHMCS
Affected Versions:
- WHMCS 7.4.0 through 8.12.2
- WHMCS 8.13.x prior to 8.13.3
- WHMCS 9.0.x prior to 9.0.4
Overview
A critical authorization bypass vulnerability identified as CVE-2026-29204 has been disclosed in WHMCS. The issue exists due to insufficient ownership validation in clientarea.php, specifically involving manipulation of the addonId parameter. An authenticated client-area user may exploit this flaw to gain unauthorized access to another customer’s hosting resources and associated cPanel account.
This vulnerability is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
Technical Details
The vulnerability occurs because WHMCS fails to properly verify whether the supplied addonId belongs to the currently authenticated user before processing requests.
An attacker can:
- Modify requests in the client area
- Supply another customer’s addonId
- Bypass ownership validation
- Access or manipulate services associated with another account
- Potentially gain unauthorized cPanel access
The flaw affects environments where addon/service actions are exposed through the WHMCS client area.
Potential Impact
Successful exploitation may allow attackers to:
- Access other customers’ hosting services
- Gain unauthorized cPanel access
- View or modify account data
- Manipulate addon configurations
- Compromise confidentiality and integrity of hosted environments
No widespread active exploitation has yet been confirmed publicly; however, proof-of-concept discussion and temporary mitigation hooks are already circulating publicly.
Official Patched Versions
WHMCS has released security updates addressing the issue.
Upgrade Immediately To
- WHMCS 8.13.3
- WHMCS 9.0.4
These versions contain the required ownership validation fixes.
Immediate Resolution Steps
- Backup Your WHMCS Installation
Before upgrading:- Backup the WHMCS database
- Backup all WHMCS files
- Verify restoration procedures
- Upgrade WHMCS
Download the latest patched release from WHMCS:- Upgrade to 8.13.3 or later
- Upgrade to 9.0.4 or later
Ensure all files are fully replaced and caches cleared after upgrade.
- Verify Upgrade Success
After upgrading:- Confirm version in WHMCS Admin Dashboard
- Verify no old files remain
- Review activity logs for unusual addon access attempts
- Audit Client Activity
Review:- WHMCS Activity Logs
- cPanel access logs
- Authentication records
- Suspicious addon/service actions
Look for unusual requests involving unexpected addonId values.
Temporary Mitigation (If Immediate Upgrade Is Not Possible)
If you cannot immediately patch:
Restrict Addon Access
Temporarily disable or restrict addon/service management functionality from the client area.
Implement Server-Side Validation
Add ownership validation checks ensuring:
if ($addon->userid != $_SESSION['uid']) {
exit('Unauthorized Access');
} This should be applied wherever addonId is processed.
⸻
Recommended Security Actions
Rotate Sensitive Credentials
If compromise is suspected:
- Reset WHMCS admin passwords
- Reset customer cPanel passwords
- Rotate API tokens
- Rotate reseller credentials
Enable Additional Monitoring
Monitor for:
- Cross-account service access
- Abnormal addon requests
- Unexpected client area activity
- Suspicious API usage
Harden WHMCS Security
Recommended best practices:
- Enforce MFA for admins
- Restrict admin access by IP
- Keep WHMCS continuously updated
- Limit third-party modules
- Enable detailed audit logging
Indicators of Possible Exploitation
Potential signs include:
- Customers reporting unauthorized access
- Unexpected addon/service modifications
- Unrecognized cPanel logins
- Cross-account access behavior
- Suspicious requests containing modified addonId values
