๐Ÿ” CVE Alert

CVE-2026-55590

UNKNOWN 0.0

CakePHP: Open redirect weakness via backslash bypass

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.

CWE CWE-601
Vendor cakephp
Product authentication
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for cakephp authentication

Be the first to know when new unknown vulnerabilities affecting cakephp authentication are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

cakephp / authentication
< 2.11.1 >= 3.0.0, < 3.3.6 >= 4.0.0, < 4.1.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/cakephp/authentication/security/advisories/GHSA-hhpq-7wg4-36jm github.com: https://github.com/cakephp/authentication/pull/795 github.com: https://github.com/cakephp/authentication/pull/796 github.com: https://github.com/cakephp/authentication/pull/799 github.com: https://github.com/cakephp/authentication/commit/1c1e29c7e8129cfbcae74558316ecd3ea50a8273 github.com: https://github.com/cakephp/authentication/commit/df28ea4e712f1e5bd0e42be4a3c5c750ca50764d github.com: https://github.com/cakephp/authentication/commit/ee24bd48b9c3ef693dc9965de8f0cc8020a7052c github.com: https://github.com/cakephp/authentication/releases/tag/2.11.1 github.com: https://github.com/cakephp/authentication/releases/tag/3.3.6 github.com: https://github.com/cakephp/authentication/releases/tag/4.1.1