Bluehost is facing growing frustration from some VPS and dedicated server customers after a critical cPanel and WHM vulnerability triggered access restrictions, prolonged disruption and unresolved support complaints.

The issue is linked to CVE 2026 41940, a serious authentication bypass vulnerability affecting cPanel and WebHost Manager, commonly known as WHM. cPanel issued an emergency security update on 28 April 2026, describing the problem as affecting authentication in cPanel and WHM. Bluehost later confirmed that the vulnerability was being actively exploited and said it had restricted access to certain services on some affected VPS and dedicated servers as part of its containment process.

On its own, that response is understandable. When a vulnerability can allow unauthenticated access to a server control panel, a hosting provider has to move quickly. WHM is not just another login screen. It controls server level access, hosting accounts, databases, email accounts and website administration. Canada’s cyber agency warned that exploitation of this flaw could allow attackers to access cPanel and WHM administrative interfaces, take control of hosted websites, databases and email accounts, and potentially compromise downstream websites.

The problem is what has happened after the containment.

Bluehost’s own status update says it continued restoring access to affected servers and that access to Server, WHM and cPanel had been temporarily restricted because of the complexity of the vulnerability and the need to secure data. That language may be acceptable for the first few hours of an incident. It becomes much harder to defend when some customers say they have been locked out or offline for several days, in some cases reportedly stretching to 7 to 10 days.

For businesses, this is not a small inconvenience. VPS and dedicated servers are often used for production websites, ecommerce platforms, business email, client portals, databases and internal systems. A long outage can mean lost sales, missed enquiries, broken campaigns, suspended client services and reputational damage.

This is where the story shifts from cybersecurity to business continuity.

Bluehost can argue, fairly, that restricting access was necessary to prevent further exposure. But affected customers can also argue, fairly, that they need more than generic status updates and slow support responses. When a business pays for VPS or dedicated hosting, especially where it runs multiple client sites, it expects a higher level of incident handling than vague support loops.

The bigger lesson is uncomfortable. Many businesses treat hosting as a cheap technical line item until something breaks. Then they realise their entire operation depends on a provider’s patching speed, backup discipline, support escalation and incident communication.

The cPanel vulnerability itself is serious. NIST’s vulnerability database describes CVE 2026 41940 as an authentication bypass issue in the cPanel and WHM login flow that can allow unauthenticated remote attackers to gain unauthorised access to the control panel. Censys described it as a critical pre authentication bypass with a CVSS score of 9.8, the kind of rating that should force immediate attention from hosting companies, server administrators and businesses running cPanel based infrastructure.

But the technical fix is only one side of the incident. Customers now need direct answers.

Bluehost should publicly clarify which categories of VPS and dedicated servers remain affected, what services are still restricted, whether any servers were confirmed as compromised, what customers should do about password rotation and backups, and what compensation will apply where downtime has gone beyond reasonable limits.

Affected customers should also act immediately once access is restored. That means checking backups, rotating passwords, reviewing cPanel and WHM users, auditing SSH keys, reviewing email accounts, checking databases, scanning websites for malware and confirming whether any files were changed during the vulnerable period.

The harsh truth is that this incident should make businesses rethink their hosting posture. A cheap hosting plan is not a continuity plan. A control panel is not a security strategy. And a backup that has never been tested is not a backup.

For African businesses, agencies and publishers using overseas hosting providers, this is a wake up call. Many local companies depend on global hosting platforms because they are affordable and easy to set up. That convenience is useful, but it also creates exposure. When something goes wrong at provider level, customers are often stuck in global support queues with limited leverage.

Bluehost still has an opportunity to recover trust, but it needs to move beyond technical status updates. Customers need timelines, escalation channels, forensic clarity and service credits where downtime has dragged on.

Security incidents happen. What defines a provider is not whether it ever faces a vulnerability. It is how quickly it contains the risk, how clearly it communicates, and how seriously it treats the businesses left stranded by the fallout.