CVE-2026-55590 in CakePHP
Summary
by MITRE • 07/09/2026
CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The CakePHP Authentication plugin represents a critical security vulnerability affecting multiple versions of the CakePHP framework ecosystem. This weakness specifically resides within the getLoginRedirect() method implementation across versions prior to 2.11.1, 3.3.6, and 4.1.1, creating a dangerous backslash bypass mechanism that can be exploited by malicious actors. The vulnerability manifests when applications process redirect query string parameters containing attacker-controlled hostnames, effectively allowing unauthorized redirection attacks that can lead to phishing or further exploitation attempts.
The technical flaw stems from insufficient input validation and sanitization within the redirect handling logic of the authentication plugin. When the getLoginRedirect() method processes user-supplied redirect URLs through query parameters, it fails to properly validate or sanitize backslash characters in hostname specifications. This allows attackers to craft malicious redirect targets where a backslash character can bypass normal validation checks, enabling redirection to arbitrary domains controlled by the attacker rather than legitimate application endpoints. The vulnerability specifically affects applications that utilize CakePHP's authentication mechanisms and rely on redirect functionality for login flows.
The operational impact of this vulnerability extends beyond simple unauthorized redirects, creating potential security risks that align with CWE-601, which addresses URL redirect vulnerabilities in web applications. Attackers can exploit this weakness to perform open redirect attacks, potentially leading to credential theft through phishing campaigns or directing users to malicious domains that appear legitimate. This issue particularly affects PSR-7 based applications and CakePHP installations where authentication flows involve redirect parameters, making it a significant concern for organizations relying on these frameworks for web application development.
Mitigation strategies should focus on immediate version upgrades to the patched releases 2.11.1, 3.3.6, and 4.1.1, which contain the necessary fixes for the backslash bypass vulnerability. Organizations should also implement additional input validation measures, including strict hostname validation, URL sanitization, and comprehensive redirect parameter filtering. Security teams should conduct thorough code reviews to identify any custom implementations that might be vulnerable, while implementing proper logging and monitoring of redirect operations to detect potential exploitation attempts. The fix addresses this issue through enhanced input sanitization and proper validation of redirect targets, preventing attackers from bypassing hostname checks through backslash manipulation as outlined in relevant ATT&CK techniques for web application exploitation.