CVE-2026-55590 in CakePHPinfo

Summary

by MITRE • 07/09/2026

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect() method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the redirect query string parameter. This issue is fixed in versions 2.11.1, 3.3.6, and 4.1.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The CakePHP Authentication plugin represents a critical security vulnerability affecting multiple versions of the CakePHP framework ecosystem. This weakness specifically resides within the getLoginRedirect() method implementation across versions prior to 2.11.1, 3.3.6, and 4.1.1, creating a dangerous backslash bypass mechanism that can be exploited by malicious actors. The vulnerability manifests when applications process redirect query string parameters containing attacker-controlled hostnames, effectively allowing unauthorized redirection attacks that can lead to phishing or further exploitation attempts.

The technical flaw stems from insufficient input validation and sanitization within the redirect handling logic of the authentication plugin. When the getLoginRedirect() method processes user-supplied redirect URLs through query parameters, it fails to properly validate or sanitize backslash characters in hostname specifications. This allows attackers to craft malicious redirect targets where a backslash character can bypass normal validation checks, enabling redirection to arbitrary domains controlled by the attacker rather than legitimate application endpoints. The vulnerability specifically affects applications that utilize CakePHP's authentication mechanisms and rely on redirect functionality for login flows.

The operational impact of this vulnerability extends beyond simple unauthorized redirects, creating potential security risks that align with CWE-601, which addresses URL redirect vulnerabilities in web applications. Attackers can exploit this weakness to perform open redirect attacks, potentially leading to credential theft through phishing campaigns or directing users to malicious domains that appear legitimate. This issue particularly affects PSR-7 based applications and CakePHP installations where authentication flows involve redirect parameters, making it a significant concern for organizations relying on these frameworks for web application development.

Mitigation strategies should focus on immediate version upgrades to the patched releases 2.11.1, 3.3.6, and 4.1.1, which contain the necessary fixes for the backslash bypass vulnerability. Organizations should also implement additional input validation measures, including strict hostname validation, URL sanitization, and comprehensive redirect parameter filtering. Security teams should conduct thorough code reviews to identify any custom implementations that might be vulnerable, while implementing proper logging and monitoring of redirect operations to detect potential exploitation attempts. The fix addresses this issue through enhanced input sanitization and proper validation of redirect targets, preventing attackers from bypassing hostname checks through backslash manipulation as outlined in relevant ATT&CK techniques for web application exploitation.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!