CVE-2026-29203: cPanel Nova Plugin Symlink Flaw Enables Root Privilege Escalation

A high-severity vulnerability tracked as CVE-2026-29203 (CVSS 8.8) has been disclosed in cPanel's Nova plugin, exposing a symlink-following flaw that could allow authenticated users to manipulate root-level permissions on arbitrary system files. The vulnerability resides in the Cpanel::Nova::Connector component, where a chmod call improperly follows symbolic links rather than resolving them, creating a pathway for privilege escalation and system disruption.

The technical root of the issue lies in how the Nova plugin handles file permission changes. When an authenticated cPanel user triggers the chmod operation, the connector follows symlinks instead of operating on the link itself. This design oversight means a malicious actor with valid cPanel credentials could craft symlinks pointing to sensitive system files or directories and then invoke the vulnerable chmod call to modify their permissions at the root level. The consequences range from denial-of-service conditions—by breaking critical system files—to local privilege escalation, depending on what files are targeted.

For hosting providers and server administrators running cPanel with the Nova plugin, this vulnerability represents a significant exposure. Any environment where authenticated cPanel users exist—particularly shared hosting environments with multiple tenants—faces elevated risk. The authentication requirement limits the attack surface, but the potential to gain root-level access through a symlink attack makes this a priority patch. Organizations should verify whether the Nova plugin is installed, review user access controls, and apply vendor patches as they become available. The disclosure underscores a recurring pattern in server management software: filesystem operations must rigorously validate symlink behavior to prevent privilege boundary violations.