CVE-2026-29204 - WHMCS Security Update 05/12/2026   

Situation

A security vulnerability (CVE-2026-29204) has been identified in WHMCS 7.4 and later involving insufficient authorization checks within the Client Area. Under specific conditions, an authenticated user could perform actions outside of the scope of their assigned account permissions.

This issue was responsibly disclosed through our security program and is currently being addressed.

Impact

An authenticated WHMCS user could potentially leverage this flaw to perform actions in the context of another user's account, including accessing services that they did not own. Exploitation requires a valid, authenticated session. 

Affected versions include:

  • All WHMCS 9.x builds prior to 9.0.4.

  • All WHMCS 8.x builds prior to 8.13.3.

  • All WHMCS 7.x builds after 7.4.0.

A fix is only available for supported WHMCS versions. If you are running WHMCS 7.4 or later, you must upgrade to WHMCS 9.0.4 or WHMCS 8.13.3.

Call to Action

We have released a fix for this in the following WHMCS versions: 

  • WHMCS 9.0.4

  • WHMCS 8.13.3

Update immediately to the latest WHMCS version after the patched release is available.

Monitor the Activity Log for any unexpected Single Sign-On or service access events originating from mismatched user accounts.

If you use WHMCS Cloud, no action is required. We have already updated all WHMCS Cloud-hosted installations.

Temporary Workaround

As a temporary workaround, you can perform the following steps to block affected Client Area  functionality at the PHP runtime level:

1. Edit the configuration.php file in the WHMCS root directory.

2. On a new line, before any closing ?> tag, add the following code:

if (isset($_REQUEST['addonId'])) {
    die('This has been disabled.');
}
Click to copy

3. Save the file.

This modification will disable all custom module commands for product addons in the Client Area. Your customers may see the This has been disabled. message in the Client Area or in the browser network tool, or they may see a generic error message:

Make sure to remove this entry from the configuration.php file after you update to a WHMCS release that includes the required fix.